From a225b00920ab87f0905789f151dcd96dfb2920df Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 21 May 2014 17:45:25 -0400
Subject: [PATCH] added null check and permissions check to ID token
 generation, closes #602

---
 .../connect/token/ConnectTokenEnhancer.java   | 22 +++++++++++++------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
index 34d1ea87e..13d5bb894 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -31,6 +31,7 @@ import org.mitre.openid.connect.service.UserInfoService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
@@ -104,17 +105,24 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 		 * has the proper scope, we can consider this a valid OpenID Connect request. Otherwise,
 		 * we consider it to be a vanilla OAuth2 request.
 		 */
-		if (originalAuthRequest.getScope().contains("openid")) {
+		if (originalAuthRequest.getScope().contains("openid") 
+				&& originalAuthRequest.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_USER"))) {
 
 			String username = authentication.getName();
 			UserInfo userInfo = userInfoService.getByUsernameAndClientId(username, clientId);
 
-			OAuth2AccessTokenEntity idTokenEntity = connectTokenService.createIdToken(client,
-					originalAuthRequest, claims.getIssueTime(),
-					userInfo.getSub(), signingAlg, token);
-
-			// attach the id token to the parent access token
-			token.setIdToken(idTokenEntity);
+			if (userInfo != null) {
+			
+				OAuth2AccessTokenEntity idTokenEntity = connectTokenService.createIdToken(client,
+						originalAuthRequest, claims.getIssueTime(),
+						userInfo.getSub(), signingAlg, token);
+	
+				// attach the id token to the parent access token
+				token.setIdToken(idTokenEntity);
+			} else {
+				// can't create an id token if we can't find the user
+				logger.warn("Request for ID token when no user is present.");
+			}
 		}
 
 		return token;