From 1c4c53f252732ba65b23bfbe835ca16ad4e22d4c Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 30 Aug 2013 15:16:13 -0400 Subject: [PATCH] scope comparison for introspection endpoint --- .../mitre/oauth2/web/IntrospectionEndpoint.java | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java index f829d4192..871facb6f 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java @@ -22,7 +22,6 @@ import java.util.Set; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; -import org.mitre.oauth2.model.SystemScope; import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; @@ -120,25 +119,11 @@ public class IntrospectionEndpoint { if (authClient.isAllowIntrospection()) { // if it's the same client that the token was issued to, or it at least has all the scopes the token was issued with - if (authClient.getClientId().equals(tokenClient.getClientId()) || authClient.getScope().containsAll(scopes)) { + if (authClient.getClientId().equals(tokenClient.getClientId()) || scopeService.scopesMatch(authClient.getScope(), scopes)) { // if it's a valid token, we'll print out information on it model.addAttribute("entity", token); return "tokenIntrospection"; } else { - - boolean scopesConsistent = true; - for (String ts : scopes){ - if (!authClient.getScope().contains(scopeService.baseScopeString(ts))){ - scopesConsistent = false; - break; - } - } - - if (scopesConsistent) { - model.addAttribute("entity", token); - return "tokenIntrospection"; - } - logger.error("Verify failed; client tried to introspect a token of an incorrect scope"); model.addAttribute("code", HttpStatus.FORBIDDEN); return "httpCodeView";