You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/14 15:17:08 UTC
[2/2] cxf git commit: Require a nonce for the implicit flow

Require a nonce for the implicit flow


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2d3592e6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2d3592e6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2d3592e6

Branch: refs/heads/3.1.x-fixes
Commit: 2d3592e667e0ed5c2345b8fe1ae248a6b0fb1b43
Parents: ad1822e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 14 14:11:43 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 14 14:14:54 2015 +0000

----------------------------------------------------------------------
 .../oauth2/common/OAuthAuthorizationData.java     |  8 --------
 .../rs/security/oidc/idp/OidcImplicitService.java | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2d3592e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 8a29946..383cd3b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -39,7 +39,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
     private String endUserName;
     private String authenticityToken;
     private String replyTo;
-    private String responseType;
     
     private String applicationName;
     private String applicationWebUri;
@@ -203,11 +202,4 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
         this.implicitFlow = implicitFlow;
     }
 
-    public String getResponseType() {
-        return responseType;
-    }
-
-    public void setResponseType(String responseType) {
-        this.responseType = responseType;
-    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2d3592e6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 908d141..edf8e98 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -22,10 +22,17 @@ import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 
 public class OidcImplicitService extends ImplicitGrantService {
@@ -48,6 +55,17 @@ public class OidcImplicitService extends ImplicitGrantService {
     }
     
     @Override
+    protected Response startAuthorization(MultivaluedMap<String, String> params, 
+                                          UserSubject userSubject,
+                                          Client client) {    
+        // Validate the nonce, it must be present for the Implicit flow
+        if (params.getFirst(OAuthConstants.NONCE) == null) {
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+        }
+        return super.startAuthorization(params, userSubject, client);
+    }
+    
+    @Override
     protected boolean canAuthorizationBeSkipped(Client client,
                                                 List<String> requestedScope,
                                                 List<OAuthPermission> permissions) {