github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix NPE if no claims are requested for the userinfo object 

This happens if clients only requests id_token claims, or just send an empty claims parameter.

Change-Id: I8bd176ad271bda8a1e2f26b6221bd8e2d0a3ebfb
pull/1015/merge
Leonard Brünings 2017-03-02 19:34:40 +01:00 committed by Justin Richer
parent 141f4da7f1
commit 00ecd3dd22
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
openid-connect-server/src/main/java/org/mitre/openid/connect/view/UserInfoView.java
View File

@ -148,18 +148,8 @@ public class UserInfoView extends AbstractView {
Set<String> authorizedByClaims = new HashSet<>(); Set<String> authorizedByClaims = new HashSet<>();
Set<String> requestedByClaims = new HashSet<>(); Set<String> requestedByClaims = new HashSet<>();
if (authorizedClaims != null) { extractUserInfoClaimsIntoSet(authorizedClaims, authorizedByClaims);
JsonObject userinfoAuthorized = authorizedClaims.getAsJsonObject().get("userinfo").getAsJsonObject(); extractUserInfoClaimsIntoSet(requestedClaims, requestedByClaims);
for (Entry<String, JsonElement> entry : userinfoAuthorized.getAsJsonObject().entrySet()) {
authorizedByClaims.add(entry.getKey());
}
}
if (requestedClaims != null) {
JsonObject userinfoRequested = requestedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
for (Entry<String, JsonElement> entry : userinfoRequested.getAsJsonObject().entrySet()) {
requestedByClaims.add(entry.getKey());
}
}
// Filter claims by performing a manual intersection of claims that are allowed by the given scope, requested, and authorized. // Filter claims by performing a manual intersection of claims that are allowed by the given scope, requested, and authorized.
// We cannot use Sets.intersection() or similar because Entry<> objects will evaluate to being unequal if their values are // We cannot use Sets.intersection() or similar because Entry<> objects will evaluate to being unequal if their values are
@ -180,4 +170,15 @@ public class UserInfoView extends AbstractView {
return result; return result;
} }
private void extractUserInfoClaimsIntoSet(JsonObject claims, Set<String> target) {
if (claims != null) {
JsonObject userinfoAuthorized = claims.getAsJsonObject("userinfo");
if (userinfoAuthorized != null) {
for (Entry<String, JsonElement> entry : userinfoAuthorized.entrySet()) {
target.add(entry.getKey());
}
}
}
}
} }