github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Allow both flows authorization code and client credentials. This scenario might be found when the same client supports user authentication as well as service to service authentication. Such a client is trusted (whitelisted).

pull/916/merge
Cosmin Cojocar 2015-09-29 15:19:02 +02:00 committed by Justin Richer
parent dce80d488b
commit a80953a2d4
1 changed files with 7 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
View File

@ -394,9 +394,11 @@ public class DynamicClientRegistrationEndpoint {
// set default grant types if needed
if (newClient.getGrantTypes() == null || newClient.getGrantTypes().isEmpty()) {
if (newClient.getScope().contains("offline_access")) { // client asked for offline access
newClient.setGrantTypes(Sets.newHashSet("authorization_code", "refresh_token")); // allow authorization code and refresh token grant types by default
// allow authorization code, client credentials and refresh token grant types by default
newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials", "refresh_token"));
} else {
newClient.setGrantTypes(Sets.newHashSet("authorization_code")); // allow authorization code grant type by default
// allow authorization code grant type by default
newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials"));
}
}
@ -418,8 +420,7 @@ public class DynamicClientRegistrationEndpoint {
if (newClient.getGrantTypes().contains("authorization_code")) {
// check for incompatible grants
if (newClient.getGrantTypes().contains("implicit") ||
newClient.getGrantTypes().contains("client_credentials")) {
if (newClient.getGrantTypes().contains("implicit")) {
// return an error, you can't have these grant types together
throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
}
@ -430,15 +431,12 @@ public class DynamicClientRegistrationEndpoint {
}
newClient.getResponseTypes().add("code");
}
if (newClient.getGrantTypes().contains("implicit")) {
// check for incompatible grants
if (newClient.getGrantTypes().contains("authorization_code") ||
newClient.getGrantTypes().contains("client_credentials")) {
if (newClient.getGrantTypes().contains("authorization_code")) {
// return an error, you can't have these grant types together
throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
}
@ -456,14 +454,7 @@ public class DynamicClientRegistrationEndpoint {
}
if (newClient.getGrantTypes().contains("client_credentials")) {
// check for incompatible grants
if (newClient.getGrantTypes().contains("authorization_code") ||
newClient.getGrantTypes().contains("implicit")) {
// return an error, you can't have these grant types together
throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
}
if (!newClient.getResponseTypes().isEmpty()) {
// return an error, you can't have this grant type and response type together
throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);