You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/11/15 13:15:38 UTC

[cxf] branch master updated: Some OIDC changes relating to public clients

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 9818f48  Some OIDC changes relating to public clients
9818f48 is described below

commit 9818f48525c07bfe23af8f3a5c2d735f3953d02f
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Nov 15 13:15:17 2019 +0000

    Some OIDC changes relating to public clients
---
 .../grants/code/AuthorizationCodeGrantHandler.java   |  2 +-
 .../services/AuthorizationCodeGrantService.java      |  3 +--
 .../security/oauth2/grants/PublicClientTest.java     | 20 ++++++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 22557e7..f32b0df 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -67,7 +67,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
         String expectedRedirectUri = grant.getRedirectUri();
         String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
         if (providedRedirectUri != null) {
-            if (expectedRedirectUri == null || !providedRedirectUri.equals(expectedRedirectUri)) {
+            if (!providedRedirectUri.equals(expectedRedirectUri)) {
                 throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
             }
         } else if (expectedRedirectUri == null && !isCanSupportPublicClients()
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 77ae3bf..676515a2 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -209,8 +209,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
     protected boolean canRedirectUriBeEmpty(Client c) {
         // If a redirect URI is empty then the code will be returned out of band,
         // typically will be returned directly to a human user
-        return (c.isConfidential() && canSupportEmptyRedirectForPrivateClients || canSupportPublicClient(c))
-                && c.getRedirectUris().isEmpty();
+        return c.isConfidential() && canSupportEmptyRedirectForPrivateClients;
     }
 
     public void setCanSupportPublicClients(boolean support) {
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
index 606aee0..455ba0e 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
@@ -90,6 +90,26 @@ public class PublicClientTest extends AbstractBusClientServerTestBase {
     }
 
     @org.junit.Test
+    public void testAuthorizationCodeGrantNoRedirectURI() throws Exception {
+        URL busFile = PublicClientTest.class.getResource("publicclient.xml");
+
+        String address = "https://localhost:" + JCACHE_PORT + "/services/";
+        WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        try {
+            OAuth2TestUtils.getAuthorizationCode(client, null, "fredPublic");
+            fail("Failure expected on a missing (registered) redirectURI");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+
+    @org.junit.Test
     public void testPKCEPlain() throws Exception {
         URL busFile = PublicClientTest.class.getResource("publicclient.xml");