Skip to main content Skip to navigation

IT Services

Web Sign On

Web Sign On Deprecation notice: GET requests passing tokens or credentials

5 posts 3 followers RSS feed

You need to be logged in to post in this topic.
  1. Nick Howes Staff Information & Digital
    #1 15:28, Fri 26 May 2017 (edited 11:20, Mon 5 Jun 2017)

    If you have hand-written code to make GET requests to /sentry with requestType of 1 (token) or 2 (auth), you will need to change this to make a POST request instead as we will be disallowing GET requests in future. The "token" parameter must be moved out of the URL query and into the POST body. Other requestTypes such as 4 and 5 (user lookup) are fine to request as a GET.

    We'll try to contact most of the people who we know are making such requests, but we can't reliably detect every application so you may wish to review your code now to avoid any loss of service for users.

     
  2. Andrew Taylor
    #2 16:53, Tue 30 May 2017

    Hi Nick,

    We use GET requests on a number of applications. I'll do some testing on Thursday and have everything updated by the end of the week. Does that work within your timescales?

    Andrew

     
  3. Andrew Smith Staff Information & Digital
    #3 17:34, Tue 30 May 2017

    Hi Nick (& Andrew)

     

    Although I have nothing critical at present using Warwick SSO (other than perhaps the Annual Leave system from Andrew Taylor which I assume he has/is checking).

    I do have a system that used SSO and I may in the near future wand to use elements of again. This uses the oAuth functions I was given by ITS (or at least were wtote in PHP based on Java originals. These do appear to use a filter_input(INPUT_GET, 'oauth_verifier', FILTER_SANITIZE_SPECIAL_CHARS); function even though most of the later code does resort to POSTing parameters. 

    If it is this element of the Code that would not cease to function, may I ask what we might use in its stead?

    The existing code does still appear to work. If it fails later, I might simply resort to using JSONP from within SiteBuilder, rather than using Warwick SSO to validate access to a website hosted externally. 

    Kind regards

    Andrew P Smith

    Applied Linguistics

     

     
  4. Nick Howes Staff Information & Digital
    #4 08:43, Thu 1 Jun 2017

    Andrew P Smith,

    We aren't changing any parts of OAuth so unless you are making a GET request to /sentry or /origin/sentry then you may not need to make any changes. We will keep reviewing the requests that Web sign-on is receiving and will let you know if a machine that you manage appears to be doing so.

     

    Andrew Taylor,

    That timescale is fine, many thanks.

     
  5. Andrew Taylor
    #5 15:18, Thu 1 Jun 2017

    Nick and Andrew,

    All Economics systems have been updated. If any shared systems are in use by other departments these will also have been updated.

    Andrew

     

Are you sure?

Are you sure?

Yes

Forum followers

Follower data is not currently available.

Search results