github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

DWN-27040: Adds the same secret key limiting to client registration 

Also removes the client secrets from the client listing
pull/1601/head
Carling Knight 2018-12-04 15:33:50 +00:00
parent c12cb18197
commit 5abebb7c36
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
View File

@ -229,6 +229,9 @@ public class ClientAPI {
public String apiGetAllClients(Model model, Authentication auth) { public String apiGetAllClients(Model model, Authentication auth) {
Collection<ClientDetailsEntity> clients = clientService.getAllClients(); Collection<ClientDetailsEntity> clients = clientService.getAllClients();
clients.forEach(client -> client.setClientSecret(null));
model.addAttribute(JsonEntityView.ENTITY, clients); model.addAttribute(JsonEntityView.ENTITY, clients);
if (AuthenticationUtilities.isAdmin(auth)) { if (AuthenticationUtilities.isAdmin(auth)) {

9
openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
View File

@ -167,6 +167,8 @@ public class DynamicClientRegistrationEndpoint {
if (newClient != null) { if (newClient != null) {
// it parsed! // it parsed!
String plaintextSecret = newClient.getClientSecret();
// //
// Now do some post-processing consistency checks on it // Now do some post-processing consistency checks on it
// //
@ -201,6 +203,7 @@ public class DynamicClientRegistrationEndpoint {
// we need to generate a secret // we need to generate a secret
newClient = clientService.generateClientSecret(newClient); newClient = clientService.generateClientSecret(newClient);
plaintextSecret = newClient.getClientSecret();
} }
// set some defaults for token timeouts // set some defaults for token timeouts
@ -242,6 +245,9 @@ public class DynamicClientRegistrationEndpoint {
// send it all out to the view // send it all out to the view
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8")); RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
registered.setClientSecret(plaintextSecret);
m.addAttribute("client", registered); m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201 m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
@ -377,6 +383,9 @@ public class DynamicClientRegistrationEndpoint {
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8")); RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
// We don't want the UI to receive the client secret
registered.setClientSecret(null);
// send it all out to the view // send it all out to the view
m.addAttribute("client", registered); m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200 m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200