github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

addresses issue #382. Throw an exception when client tries to upscope.

pull/419/merge
William Kim 2013-07-12 10:49:38 -04:00
parent 0d8c2442d2
commit ada54c297d
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
View File

@ -40,6 +40,7 @@ import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException; import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -198,9 +199,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
// set the scope of the new access token if requested // set the scope of the new access token if requested
token.setScope(scope); token.setScope(scope);
} else { } else {
// up-scoping is not allowed String errorMsg = "Up-scoping is not allowed.";
// (TODO: should this throw InvalidScopeException? For now just pass through) logger.error(errorMsg);
token.setScope(refreshScopes); throw new InvalidScopeException(errorMsg);
} }
} else { } else {
// otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set) // otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set)