better auth method checking in dynamic registration and resource registration

11 years ago · 53148f2c87
parent f15b4a0f74
commit 53148f2c87
2 changed files with 22 additions and 0 deletions
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java
@ -50,6 +50,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.util.UriUtils;

+import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Sets;
 import com.google.gson.JsonSyntaxException;
@ -507,6 +508,16 @@ public class ClientDynamicRegistrationEndpoint {

 			// we need to generate a secret
 			newClient = clientService.generateClientSecret(newClient);
+		} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
+			if (Strings.isNullOrEmpty(newClient.getJwksUri())) {
+				throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
+			}
+			
+			newClient.setClientSecret(null);
+		} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
+			newClient.setClientSecret(null);
+		} else {
+			throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
 		}
 		return newClient;
 	}
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
@ -49,6 +49,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.util.UriUtils;

+import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
 import com.google.gson.JsonSyntaxException;

@ -413,6 +414,16 @@ public class ProtectedResourceRegistrationEndpoint {

 			// we need to generate a secret
 			newClient = clientService.generateClientSecret(newClient);
+		} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
+			if (Strings.isNullOrEmpty(newClient.getJwksUri())) {
+				throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
+			}
+			
+			newClient.setClientSecret(null);
+		} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
+			newClient.setClientSecret(null);
+		} else {
+			throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
 		}
 		return newClient;
 	}