github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fixed comparison of client IDs in refresh token, closes #752 

Also addresses #735 (again)
pull/989/head
Justin Richer 2015-01-24 07:47:50 -05:00
parent 6c88d7c54b
commit 166c53cd6a
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
View File

@ -238,7 +238,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
// make sure that the client requesting the token is the one who owns the refresh token // make sure that the client requesting the token is the one who owns the refresh token
ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId()); ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
if (requestingClient.getClientId() != client.getClientId()) { if (!client.getClientId().equals(requestingClient.getClientId())) {
tokenRepository.removeRefreshToken(refreshToken); tokenRepository.removeRefreshToken(refreshToken);
throw new InvalidClientException("Client does not own the presented refresh token"); throw new InvalidClientException("Client does not own the presented refresh token");
} }

14
openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java
View File

@ -70,7 +70,9 @@ public class TestDefaultOAuth2ProviderTokenService {
// Test Fixture: // Test Fixture:
private OAuth2Authentication authentication; private OAuth2Authentication authentication;
private ClientDetailsEntity client; private ClientDetailsEntity client;
private ClientDetailsEntity badClient;
private String clientId = "test_client"; private String clientId = "test_client";
private String badClientId = "bad_client";
private Set<String> scope = Sets.newHashSet("openid", "profile", "email", "offline_access"); private Set<String> scope = Sets.newHashSet("openid", "profile", "email", "offline_access");
private OAuth2RefreshTokenEntity refreshToken; private OAuth2RefreshTokenEntity refreshToken;
private String refreshTokenValue = "refresh_token_value"; private String refreshTokenValue = "refresh_token_value";
@ -120,6 +122,10 @@ public class TestDefaultOAuth2ProviderTokenService {
// by default in tests, allow refresh tokens // by default in tests, allow refresh tokens
Mockito.when(client.isAllowRefresh()).thenReturn(true); Mockito.when(client.isAllowRefresh()).thenReturn(true);
badClient = Mockito.mock(ClientDetailsEntity.class);
Mockito.when(badClient.getClientId()).thenReturn(badClientId);
Mockito.when(clientDetailsService.loadClientByClientId(badClientId)).thenReturn(badClient);
refreshToken = Mockito.mock(OAuth2RefreshTokenEntity.class); refreshToken = Mockito.mock(OAuth2RefreshTokenEntity.class);
Mockito.when(tokenRepository.getRefreshTokenByValue(refreshTokenValue)).thenReturn(refreshToken); Mockito.when(tokenRepository.getRefreshTokenByValue(refreshTokenValue)).thenReturn(refreshToken);
Mockito.when(refreshToken.getClient()).thenReturn(client); Mockito.when(refreshToken.getClient()).thenReturn(client);
@ -313,6 +319,14 @@ public class TestDefaultOAuth2ProviderTokenService {
service.refreshAccessToken(refreshTokenValue, tokenRequest); service.refreshAccessToken(refreshTokenValue, tokenRequest);
} }
@Test(expected = InvalidClientException.class)
public void refreshAccessToken_clientMismatch() {
tokenRequest = new TokenRequest(null, badClientId, null, null);
service.refreshAccessToken(refreshTokenValue, tokenRequest);
}
@Test(expected = InvalidTokenException.class) @Test(expected = InvalidTokenException.class)
public void refreshAccessToken_expired() { public void refreshAccessToken_expired() {