github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #2 from gresham-computing/client-secret-security 

DWN-27040: Changes when the client secret is given to the UI
pull/1601/head
Carling Knight 2018-12-14 10:37:35 +00:00 committed by GitHub
parent 0ae12c2e5d 2008404afd
commit 12f91b1901
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
View File

@ -150,12 +150,16 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
ensureNoReservedScopes(client); ensureNoReservedScopes(client);
String plaintextSecret = client.getClientSecret();
if(!Strings.isNullOrEmpty(client.getClientSecret())) { if(!Strings.isNullOrEmpty(client.getClientSecret())) {
client.setClientSecret(this.passwordEncoder.encode(client.getClientSecret())); client.setClientSecret(this.passwordEncoder.encode(client.getClientSecret()));
} }
ClientDetailsEntity c = clientRepository.saveClient(client); ClientDetailsEntity c = clientRepository.saveClient(client);
c.setClientSecret(plaintextSecret);
statsService.resetCache(); statsService.resetCache();
return c; return c;
@ -432,9 +436,11 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
// make sure a client doesn't get any special system scopes // make sure a client doesn't get any special system scopes
ensureNoReservedScopes(newClient); ensureNoReservedScopes(newClient);
if(!Strings.isNullOrEmpty(newClient.getClientSecret())) { if (Strings.isNullOrEmpty(newClient.getClientSecret())){
newClient.setClientSecret(oldClient.getClientSecret());
}else{
newClient.setClientSecret(this.passwordEncoder.encode(newClient.getClientSecret())); newClient.setClientSecret(this.passwordEncoder.encode(newClient.getClientSecret()));
} }
return clientRepository.updateClient(oldClient.getId(), newClient); return clientRepository.updateClient(oldClient.getId(), newClient);
} }

19
openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
View File

@ -229,6 +229,9 @@ public class ClientAPI {
public String apiGetAllClients(Model model, Authentication auth) { public String apiGetAllClients(Model model, Authentication auth) {
Collection<ClientDetailsEntity> clients = clientService.getAllClients(); Collection<ClientDetailsEntity> clients = clientService.getAllClients();
clients.forEach(client -> client.setClientSecret(null));
model.addAttribute(JsonEntityView.ENTITY, clients); model.addAttribute(JsonEntityView.ENTITY, clients);
if (AuthenticationUtilities.isAdmin(auth)) { if (AuthenticationUtilities.isAdmin(auth)) {
@ -320,6 +323,8 @@ public class ClientAPI {
try { try {
ClientDetailsEntity newClient = clientService.saveNewClient(client); ClientDetailsEntity newClient = clientService.saveNewClient(client);
//Set the client secret to the plaintext from the request
m.addAttribute(JsonEntityView.ENTITY, newClient); m.addAttribute(JsonEntityView.ENTITY, newClient);
if (AuthenticationUtilities.isAdmin(auth)) { if (AuthenticationUtilities.isAdmin(auth)) {
@ -385,6 +390,7 @@ public class ClientAPI {
} }
ClientDetailsEntity oldClient = clientService.getClientById(id); ClientDetailsEntity oldClient = clientService.getClientById(id);
String plaintextSecret = client.getClientSecret();
if (oldClient == null) { if (oldClient == null) {
logger.error("apiUpdateClient failed; client with id " + id + " could not be found."); logger.error("apiUpdateClient failed; client with id " + id + " could not be found.");
@ -408,10 +414,10 @@ public class ClientAPI {
|| client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)
|| client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) {
// if they've asked for us to generate a client secret (or they left it blank but require one), do so here // Once a client has been created, we only update the secret when asked to
if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean() if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean()) {
|| Strings.isNullOrEmpty(client.getClientSecret())) {
client = clientService.generateClientSecret(client); client = clientService.generateClientSecret(client);
plaintextSecret = client.getClientSecret();
} }
} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
@ -438,6 +444,10 @@ public class ClientAPI {
try { try {
ClientDetailsEntity newClient = clientService.updateClient(oldClient, client); ClientDetailsEntity newClient = clientService.updateClient(oldClient, client);
//Set the client secret to the plaintext from the request
newClient.setClientSecret(plaintextSecret);
m.addAttribute(JsonEntityView.ENTITY, newClient); m.addAttribute(JsonEntityView.ENTITY, newClient);
if (AuthenticationUtilities.isAdmin(auth)) { if (AuthenticationUtilities.isAdmin(auth)) {
@ -497,6 +507,9 @@ public class ClientAPI {
return JsonErrorView.VIEWNAME; return JsonErrorView.VIEWNAME;
} }
//We don't want the UI to get the secret
client.setClientSecret(null);
model.addAttribute(JsonEntityView.ENTITY, client); model.addAttribute(JsonEntityView.ENTITY, client);
if (AuthenticationUtilities.isAdmin(auth)) { if (AuthenticationUtilities.isAdmin(auth)) {

4
openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
View File

@ -242,6 +242,7 @@ public class DynamicClientRegistrationEndpoint {
// send it all out to the view // send it all out to the view
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8")); RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
m.addAttribute("client", registered); m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201 m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
@ -377,6 +378,9 @@ public class DynamicClientRegistrationEndpoint {
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8")); RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
// We don't want the UI to receive the client secret
registered.setClientSecret(null);
// send it all out to the view // send it all out to the view
m.addAttribute("client", registered); m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200 m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200