github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

make sure that client presenting refresh token is the same client the refresh token was issued to

Browse Source 
closes #735
pull/743/head
Justin Richer 10 years ago
parent 0e776762c2
commit 56344fa12b
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File

9
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
Unescape View File

@ -235,7 +235,14 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
ClientDetailsEntity client = refreshToken.getClient();
AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();
// make sure that the client requesting the token is the one who owns the refresh token
ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
if (requestingClient.getClientId() != client.getClientId()) {
tokenRepository.removeRefreshToken(refreshToken);
throw new InvalidClientException("Client does not own the presented refresh token");
}
//Make sure this client allows access token refreshing
if (!client.isAllowRefresh()) {
throw new InvalidClientException("Client does not allow refreshing access token!");

Write Preview
Loading…
Cancel
Save