From 51e35133071b9245ccf0b6777451edc4bbf16c55 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 24 Feb 2016 13:07:14 -0500
Subject: [PATCH] disallow client secret JWT authentication in HEART mode

---
 .../connect/assertion/JWTBearerAuthenticationProvider.java   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java
index ce53d577a..c2c1304d4 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java
@@ -124,6 +124,11 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider {
 								|| alg.equals(JWSAlgorithm.HS384)
 								|| alg.equals(JWSAlgorithm.HS512)))) {
 
+					// double-check the method is asymmetrical if we're in HEART mode
+					if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
+						throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
+					}
+					
 					JWTSigningAndValidationService validator = validators.getValidator(client, alg);
 
 					if (validator == null) {