disallow client secret authentication in HEART mode

9 years ago · 84ff2f5fb9
2 changed files with 16 additions and 6 deletions
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
@ -24,6 +24,7 @@ import java.util.HashSet;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -50,6 +51,9 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;

+	@Autowired
+	private ConfigurationPropertiesBean config;
+	
 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {

@ -60,9 +64,10 @@ public class DefaultClientUserDetailsService implements UserDetailsService {

 				String password = Strings.nullToEmpty(client.getClientSecret());

-				if (client.getTokenEndpointAuthMethod() != null &&
-						(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
-								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
+				if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
+						(client.getTokenEndpointAuthMethod() != null &&
+							(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
+								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {

 					// Issue a random password each time to prevent password auth from being used (or skipped)
 					// for private key or shared key clients, see #715
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
@ -25,6 +25,7 @@ import java.util.HashSet;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -54,6 +55,9 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;

+	@Autowired
+	private ConfigurationPropertiesBean config;
+	
 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {

@ -66,9 +70,10 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {

 				String encodedPassword = UriUtils.encodeQueryParam(Strings.nullToEmpty(client.getClientSecret()), "UTF-8");

-				if (client.getTokenEndpointAuthMethod() != null &&
-						(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
-								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
+				if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
+						(client.getTokenEndpointAuthMethod() != null &&
+							(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
+								client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {

 					// Issue a random password each time to prevent password auth from being used (or skipped)
 					// for private key or shared key clients, see #715