From ada54c297d3e7ff49f576227749a671b2a0a36c8 Mon Sep 17 00:00:00 2001 From: William Kim Date: Fri, 12 Jul 2013 10:49:38 -0400 Subject: [PATCH] addresses issue #382. Throw an exception when client tries to upscope. --- .../service/impl/DefaultOAuth2ProviderTokenService.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index f769adced..0207fb560 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -40,6 +40,7 @@ import org.springframework.scheduling.annotation.Scheduled; import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.exceptions.InvalidClientException; +import org.springframework.security.oauth2.common.exceptions.InvalidScopeException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.OAuth2Authentication; @@ -198,9 +199,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi // set the scope of the new access token if requested token.setScope(scope); } else { - // up-scoping is not allowed - // (TODO: should this throw InvalidScopeException? For now just pass through) - token.setScope(refreshScopes); + String errorMsg = "Up-scoping is not allowed."; + logger.error(errorMsg); + throw new InvalidScopeException(errorMsg); } } else { // otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set)