more sanity checking for client secrets

pull/618/head
Justin Richer 2014-06-09 16:06:57 -04:00
parent cac645484f
commit 47cc005fe5
1 changed files with 44 additions and 4 deletions

View File

@ -171,11 +171,31 @@ public class ClientAPI {
client = clientService.generateClientSecret(client);
}
} else {
// otherwise (PRIVATE_KEY or NONE), we shouldn't have a secret for this client
} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
if (Strings.isNullOrEmpty(client.getJwksUri())) {
logger.error("tried to create client with private key auth but no private key");
m.addAttribute("code", HttpStatus.BAD_REQUEST);
m.addAttribute("errorMessage", "Can not create a client with private key authentication without registering a key via the JWS Set URI.");
return "jsonErrorView";
}
// otherwise we shouldn't have a secret for this client
client.setClientSecret(null);
} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
// we shouldn't have a secret for this client
client.setClientSecret(null);
} else {
logger.error("unknown auth method");
m.addAttribute("code", HttpStatus.BAD_REQUEST);
m.addAttribute("errorMessage", "Unknown auth method requested");
return "jsonErrorView";
}
// set owners as current logged in user if owners aren't set otherwise
@ -255,11 +275,31 @@ public class ClientAPI {
client = clientService.generateClientSecret(client);
}
} else {
// otherwise (PRIVATE_KEY or NONE), we shouldn't have a secret for this client
} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
if (Strings.isNullOrEmpty(client.getJwksUri())) {
logger.error("tried to create client with private key auth but no private key");
m.addAttribute("code", HttpStatus.BAD_REQUEST);
m.addAttribute("errorMessage", "Can not create a client with private key authentication without registering a key via the JWS Set URI.");
return "jsonErrorView";
}
// otherwise we shouldn't have a secret for this client
client.setClientSecret(null);
} else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
// we shouldn't have a secret for this client
client.setClientSecret(null);
} else {
logger.error("unknown auth method");
m.addAttribute("code", HttpStatus.BAD_REQUEST);
m.addAttribute("errorMessage", "Unknown auth method requested");
return "jsonErrorView";
}
// set owners as current logged in user if owners aren't set otherwise