Skip to main content Skip to navigation

Web Sign On

Web Sign On Deprecation notice: GET requests passing tokens or credentials

You need to be logged in to post in this topic.
  1. If you have hand-written code to make GET requests to /sentry with requestType of 1 (token) or 2 (auth), you will need to change this to make a POST request instead as we will be disallowing GET requests in future. The "token" parameter must be moved out of the URL query and into the POST body. Other requestTypes such as 4 and 5 (user lookup) are fine to request as a GET.

    We'll try to contact most of the people who we know are making such requests, but we can't reliably detect every application so you may wish to review your code now to avoid any loss of service for users.

     
  2. Hi Nick,

    We use GET requests on a number of applications. I'll do some testing on Thursday and have everything updated by the end of the week. Does that work within your timescales?

    Andrew

     
  3. Hi Nick (& Andrew)

     

    Although I have nothing critical at present using Warwick SSO (other than perhaps the Annual Leave system from Andrew Taylor which I assume he has/is checking).

    I do have a system that used SSO and I may in the near future wand to use elements of again. This uses the oAuth functions I was given by ITS (or at least were wtote in PHP based on Java originals. These do appear to use a filter_input(INPUT_GET, 'oauth_verifier', FILTER_SANITIZE_SPECIAL_CHARS); function even though most of the later code does resort to POSTing parameters. 

    If it is this element of the Code that would not cease to function, may I ask what we might use in its stead?

    The existing code does still appear to work. If it fails later, I might simply resort to using JSONP from within SiteBuilder, rather than using Warwick SSO to validate access to a website hosted externally. 

    Kind regards

    Andrew P Smith

    Applied Linguistics

     

     
  4. Andrew P Smith,

    We aren't changing any parts of OAuth so unless you are making a GET request to /sentry or /origin/sentry then you may not need to make any changes. We will keep reviewing the requests that Web sign-on is receiving and will let you know if a machine that you manage appears to be doing so.

     

    Andrew Taylor,

    That timescale is fine, many thanks.

     
  5. Nick and Andrew,

    All Economics systems have been updated. If any shared systems are in use by other departments these will also have been updated.

    Andrew

     

Are you sure?

Are you sure?

Forum followers

Follower data is not currently available.

Search results