ported CSRF fix to 1.0 using sessions

openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java

@@ -21,6 +21,9 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
+
+import javax.servlet.http.HttpSession;
 
 import net.minidev.json.JSONObject;
 
@@ -45,6 +48,8 @@ import org.springframework.security.oauth2.provider.AuthorizationRequestManager;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
 import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.google.common.base.Strings;
 import com.nimbusds.jose.util.JSONObjectUtils;
@@ -123,6 +128,15 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
 		// note that we have to inject the processed parameters in at this point so that SECOAUTH can find them later (and this object will get copy-constructored away anyway)
 		DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(parameters, Collections.<String, String> emptyMap(), clientId, scopes);
 		request.addClientDetails(client);
+		
+		// get the session so we can store a CSRF protection value in it
+	    ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+	    HttpSession session = attr.getRequest().getSession(false);
+	    if (session != null) {
+	    	String csrf = UUID.randomUUID().toString();
+	    	session.setAttribute("csrf", csrf);
+	    }
+		
 		return request;
 
 	}

openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java

@@ -22,6 +22,8 @@ import java.util.Date;
 import java.util.Map;
 import java.util.Set;
 
+import javax.servlet.http.HttpSession;
+
 import org.mitre.openid.connect.model.ApprovedSite;
 import org.mitre.openid.connect.model.WhitelistedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
@@ -34,6 +36,8 @@ import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
 import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
@@ -90,7 +94,17 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 			// TODO: make parameter name configurable?
 			boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
 
-			return userAuthentication.isAuthenticated() && approved;
+			boolean csrfApproved = false;
+		    ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+		    HttpSession session = attr.getRequest().getSession(false);
+		    if (session != null) {
+		    	String csrf = (String) session.getAttribute("csrf");
+		    	if (csrf != null && csrf.equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
+		    		csrfApproved = true;
+		    	}
+		    }
+
+			return userAuthentication.isAuthenticated() && approved && csrfApproved;
 		}
 
 	}
@@ -173,6 +187,19 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 
 		if (approved && !authorizationRequest.getApprovalParameters().isEmpty()) {
 
+			// get the session so we can store a CSRF protection value in it
+			boolean csrfApproved = false;
+		    ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+		    HttpSession session = attr.getRequest().getSession(false);
+		    if (session != null) {
+		    	String csrf = (String) session.getAttribute("csrf");
+		    	if (csrf != null && csrf.equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
+		    		csrfApproved = true;
+		    	}
+		    }
+
+		    if (csrfApproved) {
+			
 				// TODO: Get SECOAUTH to stop breaking polymorphism and start using real objects, SRSLY
 				DefaultAuthorizationRequest ar = new DefaultAuthorizationRequest(authorizationRequest);
 	
@@ -216,6 +243,10 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				}
 	
 				return ar;
+		    } else {
+		    	// csrf didn't match, it's not approved, pass through
+		    	return authorizationRequest;
+		    }
 		}
 
 		return authorizationRequest;

openid-connect-server/src/main/webapp/WEB-INF/views/approve.jsp

@@ -115,6 +115,7 @@
 
             <div class="row">
                 <input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden"/>
+                <input name="csrf" value="${ sessionScope.csrf }" type="hidden" />
                 <input name="authorize" value="Authorize" type="submit"
                        onclick="$('#user_oauth_approval').attr('value',true)" class="btn btn-success btn-large"/>
                 &nbsp;