github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fixed comparison of client IDs in refresh token, closes #752 

Also addresses #735 (again)
1.0.x
Justin Richer 2015-01-25 22:57:03 -05:00
parent be12c25d12
commit 2ffe1fcbda
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
View File

@ -213,7 +213,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
// make sure that the client requesting the token is the one who owns the refresh token
ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
if (requestingClient.getClientId() != client.getClientId()) {
if (!client.getClientId().equals(requestingClient.getClientId())) {
tokenRepository.removeRefreshToken(refreshToken);
throw new InvalidClientException("Client does not own the presented refresh token");
}