added CSRF protection to approval page

2014-05-13 09:27:02 -04:00 · 2014-05-13 09:27:02 -04:00 · a253ebc908
parent fcfbf1080f
commit a253ebc908
3 changed files with 40 additions and 24 deletions
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@ -237,6 +237,7 @@
 						</c:choose>"?
 				</h3>
 				<input id="user_oauth_approval" name="user_oauth_approval" value="true" type="hidden" /> 
+				<input name="csrf" value="${ csrf }" type="hidden" />
 				<input name="authorize" value="Authorize" type="submit"
 				onclick="$('#user_oauth_approval').attr('value',true)" class="btn btn-success btn-large" /> 
 				&nbsp; 
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
@ -26,6 +26,7 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;

 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.SystemScope;
@ -192,6 +193,10 @@ public class OAuthConfirmationController {
 			model.put("gras", false);
 		}
 		
+		// inject a random value for CSRF purposes
+		String csrf = UUID.randomUUID().toString();
+		model.put("csrf", csrf);
+		authRequest.getExtensions().put("csrf", csrf);		
 		
 		return "approve";
 	}
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
@ -96,11 +96,21 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 			return true;
 		} else {
 			// if not, check to see if the user has approved it
+			if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))) {			// TODO: make parameter name configurable?
 				
-			// TODO: make parameter name configurable?
-			boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
+				// check the value of the CSRF parameter
 				
-			return userAuthentication.isAuthenticated() && approved;
+				if (authorizationRequest.getExtensions().get("csrf") != null) {
+					if (authorizationRequest.getExtensions().get("csrf").equals(authorizationRequest.getApprovalParameters().get("csrf"))) {
+						
+						// make sure the user is actually authenticated
+						return userAuthentication.isAuthenticated();						
+					}
+				}
+			}
+			
+			// if the above doesn't pass, it's not yet approved
+			return false;
 		}

 	}
@ -182,9 +192,9 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 		ClientDetails client = clientDetailsService.loadClientByClientId(clientId);

 		// This must be re-parsed here because SECOAUTH forces us to call things in a strange order
-		boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
-
-		if (approved) {
+		if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))
+				&& authorizationRequest.getExtensions().get("csrf") != null
+				&& authorizationRequest.getExtensions().get("csrf").equals(authorizationRequest.getApprovalParameters().get("csrf"))) {

 			authorizationRequest.setApproved(true);