From 2008404afdcb99b781959d14b87fba3c5c12de5c Mon Sep 17 00:00:00 2001 From: Carling Knight Date: Wed, 5 Dec 2018 14:36:38 +0000 Subject: [PATCH] DWN-27040: Bit of refactoring, Protected Resources now protected --- .../impl/DefaultOAuth2ClientDetailsEntityService.java | 4 ++++ .../main/java/org/mitre/openid/connect/web/ClientAPI.java | 5 ----- .../connect/web/DynamicClientRegistrationEndpoint.java | 5 ----- 3 files changed, 4 insertions(+), 10 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java index ddaa0435a..005db69b5 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java @@ -150,12 +150,16 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt ensureNoReservedScopes(client); + String plaintextSecret = client.getClientSecret(); + if(!Strings.isNullOrEmpty(client.getClientSecret())) { client.setClientSecret(this.passwordEncoder.encode(client.getClientSecret())); } ClientDetailsEntity c = clientRepository.saveClient(client); + c.setClientSecret(plaintextSecret); + statsService.resetCache(); return c; diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java index 94c395286..a3943fba5 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java @@ -281,8 +281,6 @@ public class ClientAPI { client = clientService.generateClientId(client); } - String plaintextSecret = client.getClientSecret(); - if (client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { // we shouldn't have a secret for this client @@ -297,7 +295,6 @@ public class ClientAPI { if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean() || Strings.isNullOrEmpty(client.getClientSecret())) { client = clientService.generateClientSecret(client); - plaintextSecret = client.getClientSecret(); } } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { @@ -328,8 +325,6 @@ public class ClientAPI { ClientDetailsEntity newClient = clientService.saveNewClient(client); //Set the client secret to the plaintext from the request - newClient.setClientSecret(plaintextSecret); - m.addAttribute(JsonEntityView.ENTITY, newClient); if (AuthenticationUtilities.isAdmin(auth)) { diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java index 74c106b66..a36d539d0 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java @@ -167,8 +167,6 @@ public class DynamicClientRegistrationEndpoint { if (newClient != null) { // it parsed! - String plaintextSecret = newClient.getClientSecret(); - // // Now do some post-processing consistency checks on it // @@ -203,7 +201,6 @@ public class DynamicClientRegistrationEndpoint { // we need to generate a secret newClient = clientService.generateClientSecret(newClient); - plaintextSecret = newClient.getClientSecret(); } // set some defaults for token timeouts @@ -246,8 +243,6 @@ public class DynamicClientRegistrationEndpoint { RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8")); - registered.setClientSecret(plaintextSecret); - m.addAttribute("client", registered); m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201