From 5abebb7c3692dda14ba249365046b92cc8e8e1a4 Mon Sep 17 00:00:00 2001
From: Carling Knight <cknight@greshamtech.com>
Date: Tue, 4 Dec 2018 15:33:50 +0000
Subject: [PATCH] DWN-27040: Adds the same secret key limiting to client
 registration

Also removes the client secrets from the client listing
---
 .../java/org/mitre/openid/connect/web/ClientAPI.java     | 3 +++
 .../connect/web/DynamicClientRegistrationEndpoint.java   | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
index 86e359f8e..94c395286 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
@@ -229,6 +229,9 @@ public class ClientAPI {
 	public String apiGetAllClients(Model model, Authentication auth) {
 
 		Collection<ClientDetailsEntity> clients = clientService.getAllClients();
+
+		clients.forEach(client -> client.setClientSecret(null));
+
 		model.addAttribute(JsonEntityView.ENTITY, clients);
 
 		if (AuthenticationUtilities.isAdmin(auth)) {
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
index 89e0418ad..74c106b66 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
@@ -167,6 +167,8 @@ public class DynamicClientRegistrationEndpoint {
 		if (newClient != null) {
 			// it parsed!
 
+			String plaintextSecret = newClient.getClientSecret();
+
 			//
 			// Now do some post-processing consistency checks on it
 			//
@@ -201,6 +203,7 @@ public class DynamicClientRegistrationEndpoint {
 
 				// we need to generate a secret
 				newClient = clientService.generateClientSecret(newClient);
+				plaintextSecret = newClient.getClientSecret();
 			}
 
 			// set some defaults for token timeouts
@@ -242,6 +245,9 @@ public class DynamicClientRegistrationEndpoint {
 				// send it all out to the view
 
 				RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
+
+				registered.setClientSecret(plaintextSecret);
+
 				m.addAttribute("client", registered);
 				m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
 
@@ -377,6 +383,9 @@ public class DynamicClientRegistrationEndpoint {
 
 				RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
 
+				// We don't want the UI to receive the client secret
+				registered.setClientSecret(null);
+
 				// send it all out to the view
 				m.addAttribute("client", registered);
 				m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200