From a80953a2d4b0037729061f8ad787fce31f366636 Mon Sep 17 00:00:00 2001 From: Cosmin Cojocar Date: Tue, 29 Sep 2015 15:19:02 +0200 Subject: [PATCH] Allow both flows authorization code and client credentials. This scenario might be found when the same client supports user authentication as well as service to service authentication. Such a client is trusted (whitelisted). --- .../DynamicClientRegistrationEndpoint.java | 23 ++++++------------- 1 file changed, 7 insertions(+), 16 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java index b542d30d8..814db571a 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java @@ -394,9 +394,11 @@ public class DynamicClientRegistrationEndpoint { // set default grant types if needed if (newClient.getGrantTypes() == null || newClient.getGrantTypes().isEmpty()) { if (newClient.getScope().contains("offline_access")) { // client asked for offline access - newClient.setGrantTypes(Sets.newHashSet("authorization_code", "refresh_token")); // allow authorization code and refresh token grant types by default + // allow authorization code, client credentials and refresh token grant types by default + newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials", "refresh_token")); } else { - newClient.setGrantTypes(Sets.newHashSet("authorization_code")); // allow authorization code grant type by default + // allow authorization code grant type by default + newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials")); } } @@ -418,8 +420,7 @@ public class DynamicClientRegistrationEndpoint { if (newClient.getGrantTypes().contains("authorization_code")) { // check for incompatible grants - if (newClient.getGrantTypes().contains("implicit") || - newClient.getGrantTypes().contains("client_credentials")) { + if (newClient.getGrantTypes().contains("implicit")) { // return an error, you can't have these grant types together throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST); } @@ -430,15 +431,12 @@ public class DynamicClientRegistrationEndpoint { } newClient.getResponseTypes().add("code"); - - } if (newClient.getGrantTypes().contains("implicit")) { // check for incompatible grants - if (newClient.getGrantTypes().contains("authorization_code") || - newClient.getGrantTypes().contains("client_credentials")) { + if (newClient.getGrantTypes().contains("authorization_code")) { // return an error, you can't have these grant types together throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST); } @@ -456,14 +454,7 @@ public class DynamicClientRegistrationEndpoint { } if (newClient.getGrantTypes().contains("client_credentials")) { - - // check for incompatible grants - if (newClient.getGrantTypes().contains("authorization_code") || - newClient.getGrantTypes().contains("implicit")) { - // return an error, you can't have these grant types together - throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST); - } - + if (!newClient.getResponseTypes().isEmpty()) { // return an error, you can't have this grant type and response type together throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);