github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

disallow client secret authentication in HEART mode

pull/1046/head
Justin Richer 2016-02-24 13:03:02 -05:00
parent fd452bf379
commit 84ff2f5fb9
2 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
View File

@ -24,6 +24,7 @@ import java.util.HashSet;
import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -50,6 +51,9 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
@Autowired @Autowired
private ClientDetailsEntityService clientDetailsService; private ClientDetailsEntityService clientDetailsService;
@Autowired
private ConfigurationPropertiesBean config;
@Override @Override
public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException { public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException {
@ -60,9 +64,10 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
String password = Strings.nullToEmpty(client.getClientSecret()); String password = Strings.nullToEmpty(client.getClientSecret());
if (client.getTokenEndpointAuthMethod() != null && if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) || (client.getTokenEndpointAuthMethod() != null &&
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) { (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
// Issue a random password each time to prevent password auth from being used (or skipped) // Issue a random password each time to prevent password auth from being used (or skipped)
// for private key or shared key clients, see #715 // for private key or shared key clients, see #715

11
openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
View File

@ -25,6 +25,7 @@ import java.util.HashSet;
import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -54,6 +55,9 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
@Autowired @Autowired
private ClientDetailsEntityService clientDetailsService; private ClientDetailsEntityService clientDetailsService;
@Autowired
private ConfigurationPropertiesBean config;
@Override @Override
public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException { public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException {
@ -66,9 +70,10 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
String encodedPassword = UriUtils.encodeQueryParam(Strings.nullToEmpty(client.getClientSecret()), "UTF-8"); String encodedPassword = UriUtils.encodeQueryParam(Strings.nullToEmpty(client.getClientSecret()), "UTF-8");
if (client.getTokenEndpointAuthMethod() != null && if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) || (client.getTokenEndpointAuthMethod() != null &&
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) { (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
// Issue a random password each time to prevent password auth from being used (or skipped) // Issue a random password each time to prevent password auth from being used (or skipped)
// for private key or shared key clients, see #715 // for private key or shared key clients, see #715