From 2ffe1fcbdadf49005091b74f7b8c97f6d129bbe4 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Sun, 25 Jan 2015 22:57:03 -0500
Subject: [PATCH] fixed comparison of client IDs in refresh token, closes #752

Also addresses #735 (again)
---
 .../oauth2/service/impl/DefaultOAuth2ProviderTokenService.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
index eb123074d..6bffc2df0 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -213,7 +213,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		
 		// make sure that the client requesting the token is the one who owns the refresh token
 		ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
-		if (requestingClient.getClientId() != client.getClientId()) {
+		if (!client.getClientId().equals(requestingClient.getClientId())) {
 			tokenRepository.removeRefreshToken(refreshToken);
 			throw new InvalidClientException("Client does not own the presented refresh token");
 		}