added CSRF protection to approval page

openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp

@@ -237,6 +237,7 @@
 						</c:choose>"?
 				</h3>
 				<input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" /> 
+				<input name="csrf" value="${ csrf }" type="hidden" />
 				<input name="authorize" value="Authorize" type="submit"
 				onclick="$('#user_oauth_approval').attr('value',true)" class="btn btn-success btn-large" /> 
 				&nbsp; 

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java

@@ -26,6 +26,7 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.SystemScope;
@@ -192,6 +193,10 @@ public class OAuthConfirmationController {
 			model.put("gras", false);
 		}
 		
+		// inject a random value for CSRF purposes
+		String csrf = UUID.randomUUID().toString();
+		model.put("csrf", csrf);
+		authRequest.getExtensions().put("csrf", csrf);		
 		
 		return "approve";
 	}

openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java

@@ -96,11 +96,21 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 			return true;
 		} else {
 			// if not, check to see if the user has approved it
+			if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))) {			// TODO: make parameter name configurable?
 				
-			// TODO: make parameter name configurable?
+				// check the value of the CSRF parameter
-			boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
 				
-			return userAuthentication.isAuthenticated() && approved;
+				if (authorizationRequest.getExtensions().get("csrf") != null) {
+					if (authorizationRequest.getExtensions().get("csrf").equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
+						
+						// make sure the user is actually authenticated
+						return userAuthentication.isAuthenticated();						
+					}
+				}
+			}
+			
+			// if the above doesn't pass, it's not yet approved
+			return false;
 		}
 
 	}
@@ -182,9 +192,9 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 		ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
 
 		// This must be re-parsed here because SECOAUTH forces us to call things in a strange order
-		boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
+		if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))
-
+				&& authorizationRequest.getExtensions().get("csrf") != null
-		if (approved) {
+				&& authorizationRequest.getExtensions().get("csrf").equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
 
 			authorizationRequest.setApproved(true);