added response type consistency checking, closes #430
parent
32101ff7b2
commit
04f7a698ea
|
@ -138,6 +138,10 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
}
|
||||
}
|
||||
|
||||
if (newClient.getResponseTypes() == null) {
|
||||
newClient.setResponseTypes(new HashSet<String>());
|
||||
}
|
||||
|
||||
// filter out unknown grant types
|
||||
// TODO: make this a pluggable service
|
||||
Set<String> requestedGrantTypes = new HashSet<String>(newClient.getGrantTypes());
|
||||
|
@ -174,6 +178,18 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
if (newClient.getResponseTypes().contains("token")) {
|
||||
// return an error, you can't have this grant type and response type together
|
||||
m.addAttribute("error", "invalid_client_metadata");
|
||||
m.addAttribute("errorMessage", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes());
|
||||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
newClient.getResponseTypes().add("code");
|
||||
|
||||
|
||||
}
|
||||
|
||||
if (newClient.getGrantTypes().contains("implicit")) {
|
||||
|
@ -188,6 +204,16 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
if (newClient.getResponseTypes().contains("code")) {
|
||||
// return an error, you can't have this grant type and response type together
|
||||
m.addAttribute("error", "invalid_client_metadata");
|
||||
m.addAttribute("errorMessage", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes());
|
||||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
newClient.getResponseTypes().add("token");
|
||||
|
||||
// don't allow refresh tokens in implicit clients
|
||||
newClient.getGrantTypes().remove("refresh_token");
|
||||
newClient.getScope().remove("offline_access");
|
||||
|
@ -205,6 +231,14 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
if (!newClient.getResponseTypes().isEmpty()) {
|
||||
// return an error, you can't have this grant type and response type together
|
||||
m.addAttribute("error", "invalid_client_metadata");
|
||||
m.addAttribute("errorMessage", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes());
|
||||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
// don't allow refresh tokens or id tokens in client_credentials clients
|
||||
newClient.getGrantTypes().remove("refresh_token");
|
||||
newClient.getScope().remove("offline_access");
|
||||
|
@ -241,17 +275,6 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
}
|
||||
|
||||
|
||||
// set default response types if needed
|
||||
// TODO: these aren't checked by SECOAUTH
|
||||
// TODO: the consistency between the response_type and grant_type needs to be checked by the client service, most likely
|
||||
|
||||
if (newClient.getResponseTypes() == null || newClient.getResponseTypes().isEmpty()) {
|
||||
newClient.setResponseTypes(Sets.newHashSet("code")); // default to allowing only the auth code flow
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
if (newClient.getTokenEndpointAuthMethod() == null) {
|
||||
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
|
||||
}
|
||||
|
@ -414,6 +437,10 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
// make sure that the client doesn't ask for scopes it can't have
|
||||
newClient.setScope(scopeService.toStrings(allowedScopes));
|
||||
|
||||
if (newClient.getResponseTypes() == null) {
|
||||
newClient.setResponseTypes(new HashSet<String>());
|
||||
}
|
||||
|
||||
// filter out unknown grant types
|
||||
// TODO: make this a pluggable service
|
||||
Set<String> requestedGrantTypes = new HashSet<String>(newClient.getGrantTypes());
|
||||
|
@ -450,6 +477,9 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
newClient.getResponseTypes().add("code");
|
||||
|
||||
}
|
||||
|
||||
if (newClient.getGrantTypes().contains("implicit")) {
|
||||
|
@ -463,6 +493,8 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
||||
return "jsonErrorView";
|
||||
}
|
||||
|
||||
newClient.getResponseTypes().add("token");
|
||||
|
||||
// don't allow refresh tokens in implicit clients
|
||||
newClient.getGrantTypes().remove("refresh_token");
|
||||
|
@ -516,17 +548,6 @@ public class ClientDynamicRegistrationEndpoint {
|
|||
}
|
||||
}
|
||||
|
||||
// set default response types if needed
|
||||
// TODO: these aren't checked by SECOAUTH
|
||||
// TODO: the consistency between the response_type and grant_type needs to be checked by the client service, most likely
|
||||
|
||||
if (newClient.getResponseTypes() == null || newClient.getResponseTypes().isEmpty()) {
|
||||
newClient.setResponseTypes(Sets.newHashSet("code")); // default to allowing only the auth code flow
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
if (newClient.getTokenEndpointAuthMethod() == null) {
|
||||
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue