diff --git a/Development/cpprest/access_token_error.h b/Development/cpprest/access_token_error.h index 6ed7ceed0..0fa94f2a3 100644 --- a/Development/cpprest/access_token_error.h +++ b/Development/cpprest/access_token_error.h @@ -20,7 +20,7 @@ namespace web // "application/x-www-form-urlencoded" format" // see https://tools.ietf.org/html/rfc6749#section-4.1.2.1 - // for diret error + // for direct error: // If the access token request is invalid or unauthorized // "The authorization server responds with an HTTP 400 (Bad Request) // status code(unless specified otherwise) and includes the following diff --git a/Development/nmos/api_utils.cpp b/Development/nmos/api_utils.cpp index 50351beb8..36602b626 100644 --- a/Development/nmos/api_utils.cpp +++ b/Development/nmos/api_utils.cpp @@ -822,12 +822,12 @@ namespace nmos utility::string_t error_description{}; // If the request lacks any authentication information (e.g., the client // was unaware that authentication is necessary or attempted using an - // unsupported authentication method), the resource server SHOULD NOT - // include an error code or other error information. + // unsupported authentication method), the resource server SHOULD NOT + // include an error code or other error information. // - // For example : + // For example : // - // HTTP / 1.1 401 Unauthorized + // HTTP / 1.1 401 Unauthorized // WWW - Authenticate : Bearer realm = "example" // see https://tools.ietf.org/html/rfc6750#section-3.1 if (error.value != nmos::experimental::authorization_error::without_authentication) diff --git a/Development/nmos/authorization.cpp b/Development/nmos/authorization.cpp index 46bd68c99..0a3510d03 100644 --- a/Development/nmos/authorization.cpp +++ b/Development/nmos/authorization.cpp @@ -43,7 +43,7 @@ namespace nmos slog::log(gate, SLOG_FLF) << "Test token expiry error: " << e.what(); } - // reaching here, token validation has failed, treat it as expired + // reaching here indicates token validation has failed so treat it as expired return true; } diff --git a/Development/nmos/authorization_behaviour.cpp b/Development/nmos/authorization_behaviour.cpp index 1d59c4b53..f5bdeead3 100644 --- a/Development/nmos/authorization_behaviour.cpp +++ b/Development/nmos/authorization_behaviour.cpp @@ -80,7 +80,7 @@ namespace nmos std::default_random_engine discovery_backoff_engine(discovery_backoff_seeder); double discovery_backoff = 0; - // load authorization clients metadata to cache + // load authorization client's metadata to cache if (load_authorization_clients) { const auto auth_clients = load_authorization_clients(); @@ -138,10 +138,10 @@ namespace nmos // reterive client metadata from cache const auto client_metadata = nmos::experimental::get_client_metadata(authorization_state); - // is it not a scopeless client (where scopeless client doesn't access any protected APIs, i.e. doesn't require to register to Authorization server) + // does the client have a scope? A client without a scope is one that doesn't access any protected APIs (i.e. client isn't required to register with Authorization server). if (with_read_lock(model.mutex, [&] { return details::scopes(client_metadata, nmos::experimental::authorization_scopes::from_settings(model.settings)).size(); })) { - // is the client already registered to Authorization server, i.e. found it in cache + // is the client already registered to Authorization server? (i.e. found it in cache). if (!client_metadata.is_null()) { // no token or token expired @@ -180,8 +180,8 @@ namespace nmos { // if OpenID Connect Authorization server is used, client status can be obtained via the Client Configuration Endpoint // "The Client Configuration Endpoint is an OAuth 2.0 Protected Resource that MAY be provisioned by the server for a - // specific Client to be able to view and update its registered information." - // see 3.2 of https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint + // specific Client to be able to view and update its registered information." + // see https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint // registration_access_token // OPTIONAL. Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the // Client registration. @@ -208,7 +208,7 @@ namespace nmos } else { - // no registration_access_token and registration_client_uri found, treat it has connected with a non-OpenID Connect server + // no registration_access_token and registration_client_uri found, treat it as if connected with a non-OpenID Connect server // start grant flow based on what been defined in the settings // hmm, maybe use of the OpenID API to extend the client lifespan instead of re-registration mode = is_client_expired() ? client_registration // client registration @@ -227,13 +227,13 @@ namespace nmos } else { - // client has not been registered to the Authorization server yet + // client has not been registered with the Authorization server yet mode = client_registration; } } else { - // scope-less client, not require to obtain access token + // client does not have a scope therefore not require to obtain access token mode = authorization_operation; } } @@ -278,10 +278,12 @@ namespace nmos case authorization_operation: // fetch public keys - // fetch access token in 1/2 token life time interval + // fetch access token within 1/2 token life time interval. + // authorization_operation will block until an error occurs, or shutdown + // on shutdown, enclosing for loop will exit details::authorization_operation(model, authorization_state, load_ca_certificates, load_rsa_private_keys, false, gate); - // reaching here, there must be failure within the authorization operation, + // reaching here indicates there has been a failure within the authorization operation, // start the authorization sequence again on next available Authorization server authorization_service_error = true; mode = request_authorization_server_metadata; @@ -290,9 +292,12 @@ namespace nmos case authorization_operation_with_immediate_token_fetch: // fetch public keys // immediately fetch access token + // authorization_operation will block until an error occurs, or shutdown + // on shutdown, enclosing for loop will exit + details::authorization_operation(model, authorization_state, load_ca_certificates, load_rsa_private_keys, true, gate); - // reaching here, there must be failure within the authorization operation, + // reaching here indicates there has been a failure within the authorization operation, // start the authorization sequence again on next available Authorization server authorization_service_error = true; mode = request_authorization_server_metadata; diff --git a/Development/nmos/authorization_handlers.cpp b/Development/nmos/authorization_handlers.cpp index 0674dfefc..6b155b4b8 100644 --- a/Development/nmos/authorization_handlers.cpp +++ b/Development/nmos/authorization_handlers.cpp @@ -182,10 +182,10 @@ namespace nmos } // construct callback to start the authorization code flow request on a browser - // it is required for those OAuth client which is using the Authorization Code Flow to obtain the access token + // this is required for OAuth clients which use Authorization Code Flow to obtain the access token // note: as it is not easy to specify the 'content-type' used in the browser programmatically, this can be easily // fixed by installing a browser header modifier - // such extension e.g. ModHeader can be used to add the missing 'content-type' header accordingly + // extensions such as ModHeader can be used to add the missing 'content-type' header: // for Windows https://chrome.google.com/webstore/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj // for Linux https://addons.mozilla.org/en-GB/firefox/addon/modheader-firefox/ request_authorization_code_handler make_request_authorization_code_handler(slog::base_gate& gate) @@ -227,7 +227,7 @@ namespace nmos try { - // if jwt_validator has not already set up, treat it as no public keys to validate token + // if jwt_validator is not already set up, assume no public keys to validate token if (issuer->second.jwt_validator.is_initialized()) { // do access token basic validation, including token schema validation and token issuer public keys validation diff --git a/Development/nmos/authorization_handlers.h b/Development/nmos/authorization_handlers.h index 31151e79f..b21a27dd7 100644 --- a/Development/nmos/authorization_handlers.h +++ b/Development/nmos/authorization_handlers.h @@ -36,7 +36,7 @@ namespace nmos { succeeded, without_authentication, // failure: access protected resource request without authentication - insufficient_scope, // failure: access protected resource request higher privileges + insufficient_scope, // failure: access protected resource request requires higher privileges no_matching_keys, // failure: no matching keys for the token validation failed // failure: access protected resource request with authentication but failed }; diff --git a/Development/nmos/authorization_operation.cpp b/Development/nmos/authorization_operation.cpp index 4b9cf3238..aab25170c 100644 --- a/Development/nmos/authorization_operation.cpp +++ b/Development/nmos/authorization_operation.cpp @@ -78,7 +78,7 @@ namespace nmos return{}; } - // use the authorization URI on a web browser to start the authorization code grant workflow + // use the authorization URI on a web browser to start the authorization code flow web::uri make_authorization_code_uri(const web::uri& authorization_endpoint, const utility::string_t& client_id, const web::uri& redirect_uri, const web::http::oauth2::experimental::response_type& response_type, const std::set& scopes, const web::json::array& code_challenge_methods_supported, utility::string_t& state, utility::string_t& code_verifier) { using web::http::oauth2::details::oauth2_strings; @@ -100,8 +100,8 @@ namespace nmos // code_verifier = high-entropy cryptographic random STRING using the // unreserved characters[A - Z] / [a - z] / [0 - 9] / "-" / "." / "_" / "~" - // from Section 2.3 of[RFC3986], with a minimum length of 43 characters - // and a maximum length of 128 characters + // from Section 2.3 of[RFC3986], with a minimum length of 43 characters + // and a maximum length of 128 characters // see https://tools.ietf.org/html/rfc7636#section-4.1 { utility::nonce_generator generator(128); @@ -136,7 +136,7 @@ namespace nmos return ub.to_uri(); } - // it is used to strip the trailing dot of the FQDN if it is presented + // used to strip the trailing dot of the FQDN if it is presented utility::string_t strip_trailing_dot(const utility::string_t& host_) { auto host = host_; @@ -219,7 +219,7 @@ namespace nmos } else { - // Some services don't return 'token_type' while it's required by OAuth 2.0 spec: + // Some services don't return 'token_type' even though it's required by the OAuth 2.0 spec: // http://tools.ietf.org/html/rfc6749#section-5.1 // As workaround we act as if 'token_type=bearer' was received. result.set_token_type(oauth2_strings::bearer); @@ -301,9 +301,9 @@ namespace nmos // validate server metadata authapi_validator().validate(metadata, experimental::make_authapi_auth_metadata_schema_uri(version)); // may throw json_exception - // hmm, verify Authorization server meeting the minimum client requirement + // hmm, verify Authorization server meets the minimum client requirement. - // is the required response_types supported by the Authorization server + // are the required response_types supported by the Authorization server? std::set response_types = { response_types::code }; if (grants.end() != std::find_if(grants.begin(), grants.end(), [](const web::http::oauth2::experimental::grant_type& grant) { return grant_types::implicit == grant; })) { @@ -327,7 +327,7 @@ namespace nmos // scopes_supported is optional if (scopes.size() && metadata.has_array_field(nmos::experimental::fields::scopes_supported)) { - // is the required scopes supported by the Authorization server + // are the required scopes supported by the Authorization server? const auto supported = std::all_of(scopes.begin(), scopes.end(), [&](const nmos::experimental::scope& scope) { const auto& scopes_supported = nmos::experimental::fields::scopes_supported(metadata); @@ -336,7 +336,7 @@ namespace nmos }); if (!supported) { - slog::log(gate, SLOG_FLF) << "Request authorization server metadata error: server does not supporting all the required scopes: " << [&scopes]() { std::stringstream ss; for (auto scope : scopes) ss << utility::us2s(scope.name) << " "; return ss.str(); }(); + slog::log(gate, SLOG_FLF) << "Request authorization server metadata error: server does not support all the required scopes: " << [&scopes]() { std::stringstream ss; for (auto scope : scopes) ss << utility::us2s(scope.name) << " "; return ss.str(); }(); throw authorization_exception(); } } @@ -344,7 +344,7 @@ namespace nmos // grant_types_supported is optional if (grants.size() && metadata.has_array_field(nmos::experimental::fields::grant_types_supported)) { - // is the required grants supported by the Authorization server + // are the required grants supported by the Authorization server? const auto supported = std::all_of(grants.begin(), grants.end(), [&](const web::http::oauth2::experimental::grant_type& grant) { const auto& grants_supported = nmos::experimental::fields::grant_types_supported(metadata); @@ -353,7 +353,7 @@ namespace nmos }); if (!supported) { - slog::log(gate, SLOG_FLF) << "Request authorization server metadata error: server does not supporting all the required grants: " << [&grants]() { std::stringstream ss; for (auto grant : grants) ss << utility::us2s(grant.name) << " "; return ss.str(); }(); + slog::log(gate, SLOG_FLF) << "Request authorization server metadata error: server does not support all the required grants: " << [&grants]() { std::stringstream ss; for (auto grant : grants) ss << utility::us2s(grant.name) << " "; return ss.str(); }(); throw authorization_exception(); } } @@ -361,7 +361,7 @@ namespace nmos // token_endpoint_auth_methods_supported is optional if (metadata.has_array_field(nmos::experimental::fields::token_endpoint_auth_methods_supported)) { - // is the required token_endpoint_auth_method supported by the Authorization server + // is the required token_endpoint_auth_method supported by the Authorization server? const auto& supported = nmos::experimental::fields::token_endpoint_auth_methods_supported(metadata); const auto found = std::find_if(supported.begin(), supported.end(), [&token_endpoint_auth_method](const web::json::value& token_endpoint_auth_method_) { return token_endpoint_auth_method_.as_string() == token_endpoint_auth_method.name; }); if (supported.end() == found) @@ -1011,8 +1011,8 @@ namespace nmos slog::log(gate, SLOG_FLF) << "Authorization API Bearer token request unexpected unknown exception"; } - // reaching here, there must be something has gone wrong with the Authorization Server - // let select the next avaliable Authorization server + // reaching here indicates something has gone wrong with the Authorization Server + // so let's select the next available Authorization server authorization_service_error = true; model.notify(); @@ -1155,7 +1155,7 @@ namespace nmos }); } - // fetch authorization server metadata, such as endpoints use for client registration, token fetch and public keys fetch + // fetch authorization server metadata, such as endpoints used for client registration, token fetches and public keys fetches bool request_authorization_server_metadata(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, bool& authorization_service_error, nmos::load_ca_certificates_handler load_ca_certificates, slog::base_gate& gate) { slog::log(gate, SLOG_FLF) << "Attempting authorization server metadata fetch"; @@ -1338,27 +1338,27 @@ namespace nmos throw authorization_exception(); } - // scope is optional, it may not be returned by the Authorization server, just insert it, - // as it is required for the authorization support + // scope is optional. If one has not be returned by the Authorization server, + // insert one as it is required by authorization functionality. if (!client_metadata.has_field(nmos::experimental::fields::scope)) { client_metadata[nmos::experimental::fields::scope] = web::json::value::string(make_scope(nmos::experimental::authorization_scopes::from_settings(model.settings))); } - // grant_types is optional, it may not be returned by the Authorization server, just insert it, - // as it is required for the authorization support + // grant_types is optional. If it has not been returned by the Authorization server + // insert it as it is required by authorization functionality. if (!client_metadata.has_field(nmos::experimental::fields::grant_types)) { client_metadata[nmos::experimental::fields::grant_types] = make_grant_types(grant_types_from_settings(model.settings)); } - // token_endpoint_auth_method is optional, it may not be returning by the Authorization server, just insert it, - // as it is required for the authorization support + // token_endpoint_auth_method is optional. If it has not been returned by the Authorization server + // insert it as it is required by the authorization functionality. if (!client_metadata.has_field(nmos::experimental::fields::token_endpoint_auth_method)) { client_metadata[nmos::experimental::fields::token_endpoint_auth_method] = web::json::value::string(token_endpoint_auth_method_from_settings(model.settings).name); } // store client metadata to settings - // hmm, may store the only required fields + // hmm, may store only the required fields nmos::experimental::update_client_metadata(authorization_state, client_metadata); // do callback to safely store the client metadata @@ -1427,7 +1427,7 @@ namespace nmos return !authorization_service_error && registered; } - // register client to the Authorization server + // register client with the Authorization server bool client_registration(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, nmos::load_ca_certificates_handler load_ca_certificates, nmos::experimental::save_authorization_client_handler save_authorization_client, slog::base_gate& gate) { slog::log(gate, SLOG_FLF) << "Attempting authorization client registration"; @@ -1479,7 +1479,7 @@ namespace nmos { auto lock = model.write_lock(); - // check client_secret existence for confidential client + // check client_secret exists for confidential client if (client_metadata.has_string_field(nmos::experimental::fields::token_endpoint_auth_method)) { if (((nmos::experimental::fields::token_endpoint_auth_method(client_metadata) == web::http::oauth2::experimental::token_endpoint_auth_methods::client_secret_basic.name) @@ -1503,27 +1503,27 @@ namespace nmos } } - // scope is optional, it may not be returned by the Authorization server, just insert it, - // as it is required for the authorization support + // scope is optional. If one has not be returned by the Authorization server, + // insert one as it is required by authorization functionality. if (!client_metadata.has_field(nmos::experimental::fields::scope)) { client_metadata[nmos::experimental::fields::scope] = web::json::value::string(make_scope(nmos::experimental::authorization_scopes::from_settings(model.settings))); } - // grant_types is optional, it may not be returned by the Authorization server, just insert it, - // as it is required for the authorization support + // grant_types is optional. If it has not been returned by the Authorization server + // insert it as it is required by authorization functionality. if (!client_metadata.has_field(nmos::experimental::fields::grant_types)) { client_metadata[nmos::experimental::fields::grant_types] = make_grant_types(grant_types_from_settings(model.settings)); } - // token_endpoint_auth_method is optional, it may not be returning by the Authorization server, just insert it, - // as it is required for the authorization support + // token_endpoint_auth_method is optional. If it has not been returned by the Authorization server + // insert it as it is required by the authorization functionality. if (!client_metadata.has_field(nmos::experimental::fields::token_endpoint_auth_method)) { client_metadata[nmos::experimental::fields::token_endpoint_auth_method] = web::json::value::string(token_endpoint_auth_method_from_settings(model.settings).name); } // store client metadata to settings - // hmm, may store the only required fields + // hmm, may store only the required fields nmos::experimental::update_client_metadata(authorization_state, client_metadata); // hmm, do a callback allowing user to store the client credentials @@ -1591,7 +1591,7 @@ namespace nmos return !authorization_service_error && registered; } - // start authorization code workflow + // start authorization code flow // see https://tools.ietf.org/html/rfc8252#section-4.1 bool authorization_code_flow(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, nmos::experimental::request_authorization_code_handler request_authorization_code, slog::base_gate& gate) { @@ -1616,8 +1616,8 @@ namespace nmos auto access_token_received = false; auto authorization_flow = nmos::experimental::authorization_state::request_code; - // start the authorization code grant workflow, the authorization URI is required to - // be loaded in the web browser to kick start the authorization code grant workflow + // start the authorization code flow, the authorization URI is required to + // be loaded in the web browser to kick start the authorization code grant flow if (request_authorization_code) { nmos::with_write_lock(authorization_state.mutex, [&] @@ -1630,14 +1630,14 @@ namespace nmos const auto& authorization_code_flow_max = nmos::experimental::fields::authorization_code_flow_max(settings); if (authorization_code_flow_max > -1) { - // wait access token with timeout + // wait for access token with timeout if (!model.wait_for(lock, std::chrono::seconds(authorization_code_flow_max), [&] { authorization_flow = with_read_lock(authorization_state.mutex, [&] { return authorization_state.authorization_flow; }); return shutdown || nmos::experimental::authorization_state::failed == authorization_flow || nmos::experimental::authorization_state::access_token_received == authorization_flow; })) { - // authorization code workflow timeout + // authorization code flow timeout authorization_service_error = true; - slog::log(gate, SLOG_FLF) << "Authorization code workflow timeout"; + slog::log(gate, SLOG_FLF) << "Authorization code flow timeout"; } else if (nmos::experimental::authorization_state::access_token_received == authorization_flow) { @@ -1647,14 +1647,14 @@ namespace nmos } else { - // authorization code workflow failure + // authorization code flow failure authorization_service_error = true; - slog::log(gate, SLOG_FLF) << "Authorization code workflow failure"; + slog::log(gate, SLOG_FLF) << "Authorization code flow failure"; } } else { - // wait access token without timeout + // wait for access token without timeout condition.wait(lock, [&] { authorization_flow = with_read_lock(authorization_state.mutex, [&] { return authorization_state.authorization_flow; }); return shutdown || nmos::experimental::authorization_state::failed == authorization_flow || nmos::experimental::authorization_state::access_token_received == authorization_flow; }); @@ -1667,17 +1667,17 @@ namespace nmos } else { - // authorization code workflow failure + // authorization code flow failure authorization_service_error = true; - slog::log(gate, SLOG_FLF) << "Authorization code workflow failure"; + slog::log(gate, SLOG_FLF) << "Authorization code flow failure"; } } } else { - // no handler to start the authorization code grant workflow + // no handler to start the authorization code grant flow authorization_service_error = true; - slog::log(gate, SLOG_FLF) << "No authorization code workflow handler"; + slog::log(gate, SLOG_FLF) << "No authorization code flow handler"; } model.notify(); @@ -1688,7 +1688,7 @@ namespace nmos // fetch the bearer access token for the required scope(s) to access the protected APIs // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.2._Behaviour_-_Clients.html#requesting-a-token // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.2._Behaviour_-_Clients.html#accessing-protected-resources - // fetch the token issuer(authorization server)'s public keys fpr validating the incoming bearer access token + // fetch the token issuer(authorization server)'s public keys for validating the incoming bearer access token // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.5._Behaviour_-_Resource_Servers.html#public-keys void authorization_operation(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, load_ca_certificates_handler load_ca_certificates, load_rsa_private_keys_handler load_rsa_private_keys, bool immediate_token_fetch, slog::base_gate& gate) { diff --git a/Development/nmos/authorization_operation.h b/Development/nmos/authorization_operation.h index b522d5df9..9bc1dacec 100644 --- a/Development/nmos/authorization_operation.h +++ b/Development/nmos/authorization_operation.h @@ -56,7 +56,7 @@ namespace nmos // see https://tools.ietf.org/html/rfc7591#section-3.1 bool client_registration(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, nmos::load_ca_certificates_handler load_ca_certificates, nmos::experimental::save_authorization_client_handler client_registered, slog::base_gate& gate); - // start authorization code workflow + // start authorization code flow // see https://tools.ietf.org/html/rfc8252#section-4.1 bool authorization_code_flow(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, nmos::experimental::request_authorization_code_handler request_authorization_code, slog::base_gate& gate); @@ -65,7 +65,7 @@ namespace nmos // fetch the bearer access token for the required scope(s) to access the protected APIs // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.2._Behaviour_-_Clients.html#requesting-a-token // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.2._Behaviour_-_Clients.html#accessing-protected-resources - // fetch the Token Issuer(authorization server)'s public keys fpr validating the incoming bearer access token + // fetch the Token Issuer(authorization server)'s public keys for validating the incoming bearer access token // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.5._Behaviour_-_Resource_Servers.html#public-keys void authorization_operation(nmos::base_model& model, nmos::experimental::authorization_state& authorization_state, nmos::load_ca_certificates_handler load_ca_certificates, load_rsa_private_keys_handler load_rsa_private_keys, bool immediate_token_fetch, slog::base_gate& gate); diff --git a/Development/nmos/authorization_redirect_api.cpp b/Development/nmos/authorization_redirect_api.cpp index a969f0dab..22290985f 100644 --- a/Development/nmos/authorization_redirect_api.cpp +++ b/Development/nmos/authorization_redirect_api.cpp @@ -203,9 +203,8 @@ namespace nmos client_assertion_lifespan = std::chrono::seconds(nmos::experimental::fields::authorization_request_max(settings)); }); - // The Authorization server may redirect error back due to something have went wrong - // such as resource owner rejects the request or the developer did something wrong - // when creating the Authorization request + // The authorization server may redirect an error back to this endpoint due to error conditions + // such as resource owner rejecting the request, or invalid authorization request { auto lock = authorization_state.write_lock(); // in order to update shared state try @@ -220,7 +219,7 @@ namespace nmos } catch (const authorization_flow_exception& e) { - slog::log(gate, SLOG_FLF) << "Authorization flow token request Authorization Flow error: " << utility::us2s(e.error.name) << " description: " << utility::us2s(e.description); + slog::log(gate, SLOG_FLF) << "Authorization flow token request authorization flow error: " << utility::us2s(e.error.name) << " description: " << utility::us2s(e.description); result = details::make_authorization_flow_error_response(status_codes::BadRequest, e.error.name, e.description); authorization_state.authorization_flow = authorization_state::failed; } diff --git a/Development/nmos/authorization_state.h b/Development/nmos/authorization_state.h index 9cf714198..2bd57db4d 100644 --- a/Development/nmos/authorization_state.h +++ b/Development/nmos/authorization_state.h @@ -39,7 +39,7 @@ namespace nmos struct authorization_state { - // mutex to be used to protect the members of the settings from simultaneous access by multiple threads + // mutex to be used to protect the members of the authorization_state from simultaneous access by multiple threads mutable nmos::mutex mutex; // authorization code flow settings @@ -64,7 +64,7 @@ namespace nmos // map of issuer (authorization server) to jwt_validator set for access token validation nmos::experimental::issuers issuers; - // the authorization server which is currently connected to + // currently connected authorization server web::uri authorization_server_uri; // OAuth 2.0 bearer token to access authorizaton protected APIs diff --git a/Development/nmos/authorization_utils.cpp b/Development/nmos/authorization_utils.cpp index 680c152c4..82b385d33 100644 --- a/Development/nmos/authorization_utils.cpp +++ b/Development/nmos/authorization_utils.cpp @@ -77,7 +77,7 @@ namespace nmos // get issuer version api_version version(const web::uri& issuer) { - // issuer uri should be like "https://server.example.com/{version} + // issuer uri should be of the form "https://server.example.com/{version}" api_version ver{ api_version{} }; if (!issuer.is_path_empty()) { diff --git a/Development/nmos/certificate_handlers.cpp b/Development/nmos/certificate_handlers.cpp index d91d70a27..ed52a73ab 100644 --- a/Development/nmos/certificate_handlers.cpp +++ b/Development/nmos/certificate_handlers.cpp @@ -123,7 +123,7 @@ namespace nmos } // construct callback to load RSA private keys from file based on settings, see nmos/certificate_settings.h - // require for OAuth client which is using Private Key JWT as the requested authentication method for the token endpoint + // required for OAuth client which is using Private Key JWT as the requested authentication method for the token endpoint load_rsa_private_keys_handler make_load_rsa_private_keys_handler(const nmos::settings& settings, slog::base_gate& gate) { // load the server private keys from files diff --git a/Development/nmos/client_utils.cpp b/Development/nmos/client_utils.cpp index 74df9b1bb..ec1d4bb4f 100644 --- a/Development/nmos/client_utils.cpp +++ b/Development/nmos/client_utils.cpp @@ -172,7 +172,7 @@ namespace nmos return config; } - // construct client config based on settings, e.g. using the specified proxy + // construct client config based on settings, e.g. using the specified proxy and OCSP config // with the remaining options defaulted, e.g. request timeout web::http::client::http_client_config make_http_client_config(const nmos::settings& settings, load_ca_certificates_handler load_ca_certificates, slog::base_gate& gate) { diff --git a/Development/nmos/events_ws_api.cpp b/Development/nmos/events_ws_api.cpp index cda94fa4d..6c16d7998 100644 --- a/Development/nmos/events_ws_api.cpp +++ b/Development/nmos/events_ws_api.cpp @@ -79,7 +79,7 @@ namespace nmos const auto& settings = model.settings; web::uri token_issuer; - // note: the ws_validate_authorization returns the token_issuer via function parameter + // note: ws_validate_authorization returns the token_issuer via function parameter const auto result = nmos::experimental::ws_validate_authorization(req, nmos::experimental::scopes::events, nmos::get_host_name(settings), token_issuer, access_token_validation, gate_); if (!result) { diff --git a/Development/nmos/jwk_utils.cpp b/Development/nmos/jwk_utils.cpp index 1e80ae144..9919616cd 100644 --- a/Development/nmos/jwk_utils.cpp +++ b/Development/nmos/jwk_utils.cpp @@ -124,7 +124,7 @@ namespace nmos using ssl::experimental::BIO_ptr; // supported Elliptic-Curve types - // see https://tools.ietf.org/search/rfc4492#appendix-A + // see https://tools.ietf.org/html/rfc4492#appendix-A const std::map curve = { { U("P-256"), NID_X9_62_prime256v1 }, diff --git a/Development/nmos/jwt_validator_impl.cpp b/Development/nmos/jwt_validator_impl.cpp index cc09d630d..8d3499e98 100644 --- a/Development/nmos/jwt_validator_impl.cpp +++ b/Development/nmos/jwt_validator_impl.cpp @@ -107,7 +107,7 @@ namespace nmos } } - // reaching here, there must be because no matching public key to validate the access token + // reaching here indicates there is no matching public key to validate the access token // "Where a Resource Server has no matching public key for a given token, it SHOULD attempt to obtain the missing public key via the the token iss // claim as specified in RFC 8414 section 3. In cases where the Resource Server needs to fetch a public key from a remote Authorization Server it @@ -186,8 +186,8 @@ namespace nmos if (segments.size() >= aud_segments.size() && aud_segments.size()) { - // token audience got to be in wildcard domain name format, leftmost is a "*" charcater - // if not it is not going to match + // in order to match the token audience has to be in wildcard domain name format + // with a leftmost "*" character. // see https://tools.ietf.org/html/rfc4592#section-2.1.1 if (aud_segments[0] != "*") { @@ -219,7 +219,7 @@ namespace nmos } // scope optional - // If scope claim does not contain the expected scope, the Resource Server reject the token. + // If scope claim does not contain the expected scope, the Resource Server will reject the token. // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.4._Behaviour_-_Access_Tokens.html#scope auto verify_scope = [&decoded_token](const nmos::experimental::scope& scope) { @@ -384,7 +384,7 @@ namespace nmos using namespace jwt::traits; auto decoded_token = jwt::decode(utility::us2s(token)); - // token does not guarantee to have client_id + // token is not guaranteed to have a client_id // see https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.4._Behaviour_-_Access_Tokens.html#client_id if (decoded_token.has_payload_claim("client_id")) {