added response type consistency checking, closes #430

pull/612/head
Justin Richer 2014-06-05 19:41:06 -04:00
parent 32101ff7b2
commit 04f7a698ea
1 changed files with 43 additions and 22 deletions

View File

@ -138,6 +138,10 @@ public class ClientDynamicRegistrationEndpoint {
}
}
if (newClient.getResponseTypes() == null) {
newClient.setResponseTypes(new HashSet<String>());
}
// filter out unknown grant types
// TODO: make this a pluggable service
Set<String> requestedGrantTypes = new HashSet<String>(newClient.getGrantTypes());
@ -174,6 +178,18 @@ public class ClientDynamicRegistrationEndpoint {
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "jsonErrorView";
}
if (newClient.getResponseTypes().contains("token")) {
// return an error, you can't have this grant type and response type together
m.addAttribute("error", "invalid_client_metadata");
m.addAttribute("errorMessage", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes());
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "jsonErrorView";
}
newClient.getResponseTypes().add("code");
}
if (newClient.getGrantTypes().contains("implicit")) {
@ -188,6 +204,16 @@ public class ClientDynamicRegistrationEndpoint {
return "jsonErrorView";
}
if (newClient.getResponseTypes().contains("code")) {
// return an error, you can't have this grant type and response type together
m.addAttribute("error", "invalid_client_metadata");
m.addAttribute("errorMessage", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes());
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "jsonErrorView";
}
newClient.getResponseTypes().add("token");
// don't allow refresh tokens in implicit clients
newClient.getGrantTypes().remove("refresh_token");
newClient.getScope().remove("offline_access");
@ -205,6 +231,14 @@ public class ClientDynamicRegistrationEndpoint {
return "jsonErrorView";
}
if (!newClient.getResponseTypes().isEmpty()) {
// return an error, you can't have this grant type and response type together
m.addAttribute("error", "invalid_client_metadata");
m.addAttribute("errorMessage", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes());
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "jsonErrorView";
}
// don't allow refresh tokens or id tokens in client_credentials clients
newClient.getGrantTypes().remove("refresh_token");
newClient.getScope().remove("offline_access");
@ -241,17 +275,6 @@ public class ClientDynamicRegistrationEndpoint {
}
// set default response types if needed
// TODO: these aren't checked by SECOAUTH
// TODO: the consistency between the response_type and grant_type needs to be checked by the client service, most likely
if (newClient.getResponseTypes() == null || newClient.getResponseTypes().isEmpty()) {
newClient.setResponseTypes(Sets.newHashSet("code")); // default to allowing only the auth code flow
}
if (newClient.getTokenEndpointAuthMethod() == null) {
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
}
@ -414,6 +437,10 @@ public class ClientDynamicRegistrationEndpoint {
// make sure that the client doesn't ask for scopes it can't have
newClient.setScope(scopeService.toStrings(allowedScopes));
if (newClient.getResponseTypes() == null) {
newClient.setResponseTypes(new HashSet<String>());
}
// filter out unknown grant types
// TODO: make this a pluggable service
Set<String> requestedGrantTypes = new HashSet<String>(newClient.getGrantTypes());
@ -450,6 +477,9 @@ public class ClientDynamicRegistrationEndpoint {
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "jsonErrorView";
}
newClient.getResponseTypes().add("code");
}
if (newClient.getGrantTypes().contains("implicit")) {
@ -463,6 +493,8 @@ public class ClientDynamicRegistrationEndpoint {
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "jsonErrorView";
}
newClient.getResponseTypes().add("token");
// don't allow refresh tokens in implicit clients
newClient.getGrantTypes().remove("refresh_token");
@ -516,17 +548,6 @@ public class ClientDynamicRegistrationEndpoint {
}
}
// set default response types if needed
// TODO: these aren't checked by SECOAUTH
// TODO: the consistency between the response_type and grant_type needs to be checked by the client service, most likely
if (newClient.getResponseTypes() == null || newClient.getResponseTypes().isEmpty()) {
newClient.setResponseTypes(Sets.newHashSet("code")); // default to allowing only the auth code flow
}
if (newClient.getTokenEndpointAuthMethod() == null) {
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
}