From 39c50b76f48db5ba6331feb6859be65e2b6f471e Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Thu, 31 Jul 2014 23:05:17 -0400 Subject: [PATCH] added null checks to endpoint auth method switches, closes #652 --- .../JwtBearerAuthenticationProvider.java | 10 ++++++- .../mitre/openid/connect/web/ClientAPI.java | 26 ++++++++++--------- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java index a73536133..86150d0e7 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java @@ -97,7 +97,15 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")"); } - if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) && + if (client.getTokenEndpointAuthMethod() == null || + client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) || + client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || + client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) { + + // this client doesn't support this type of authentication + throw new AuthenticationServiceException("Client does not support this authentication method."); + + } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) && (alg.equals(JWSAlgorithm.RS256) || alg.equals(JWSAlgorithm.RS384) || alg.equals(JWSAlgorithm.RS512))) { diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java index 5c2d467d3..26656f1a3 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java @@ -161,7 +161,13 @@ public class ClientAPI { client = clientService.generateClientId(client); } - if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) + if (client.getTokenEndpointAuthMethod() == null || + client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { + // we shouldn't have a secret for this client + + client.setClientSecret(null); + + } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { @@ -183,11 +189,6 @@ public class ClientAPI { // otherwise we shouldn't have a secret for this client client.setClientSecret(null); - } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { - // we shouldn't have a secret for this client - - client.setClientSecret(null); - } else { logger.error("unknown auth method"); @@ -256,7 +257,13 @@ public class ClientAPI { client = clientService.generateClientId(client); } - if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) + if (client.getTokenEndpointAuthMethod() == null || + client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { + // we shouldn't have a secret for this client + + client.setClientSecret(null); + + } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { @@ -278,11 +285,6 @@ public class ClientAPI { // otherwise we shouldn't have a secret for this client client.setClientSecret(null); - } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { - // we shouldn't have a secret for this client - - client.setClientSecret(null); - } else { logger.error("unknown auth method");