added null check and permissions check to ID token generation, closes #602

pull/604/head
Justin Richer 11 years ago
parent fa418402de
commit a225b00920

@ -31,6 +31,7 @@ import org.mitre.openid.connect.service.UserInfoService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
@ -104,17 +105,24 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
* has the proper scope, we can consider this a valid OpenID Connect request. Otherwise,
* we consider it to be a vanilla OAuth2 request.
*/
if (originalAuthRequest.getScope().contains("openid")) {
if (originalAuthRequest.getScope().contains("openid")
&& originalAuthRequest.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_USER"))) {
String username = authentication.getName();
UserInfo userInfo = userInfoService.getByUsernameAndClientId(username, clientId);
OAuth2AccessTokenEntity idTokenEntity = connectTokenService.createIdToken(client,
originalAuthRequest, claims.getIssueTime(),
userInfo.getSub(), signingAlg, token);
if (userInfo != null) {
// attach the id token to the parent access token
token.setIdToken(idTokenEntity);
OAuth2AccessTokenEntity idTokenEntity = connectTokenService.createIdToken(client,
originalAuthRequest, claims.getIssueTime(),
userInfo.getSub(), signingAlg, token);
// attach the id token to the parent access token
token.setIdToken(idTokenEntity);
} else {
// can't create an id token if we can't find the user
logger.warn("Request for ID token when no user is present.");
}
}
return token;

Loading…
Cancel
Save