From b65fc88809bfb2b3c43012b7f67633d4638e8614 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Sat, 24 Jan 2015 07:47:50 -0500
Subject: [PATCH] fixed comparison of client IDs in refresh token, closes #752

Also addresses #735 (again)
---
 .../impl/DefaultOAuth2ProviderTokenService.java    |  2 +-
 .../TestDefaultOAuth2ProviderTokenService.java     | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
index 6f8f11362..6d0606866 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -238,7 +238,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		
 		// make sure that the client requesting the token is the one who owns the refresh token
 		ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
-		if (requestingClient.getClientId() != client.getClientId()) {
+		if (!client.getClientId().equals(requestingClient.getClientId())) {
 			tokenRepository.removeRefreshToken(refreshToken);
 			throw new InvalidClientException("Client does not own the presented refresh token");
 		}
diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java
index a0e67a625..20da2ffa4 100644
--- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java
@@ -70,7 +70,9 @@ public class TestDefaultOAuth2ProviderTokenService {
 	// Test Fixture:
 	private OAuth2Authentication authentication;
 	private ClientDetailsEntity client;
+	private ClientDetailsEntity badClient;
 	private String clientId = "test_client";
+	private String badClientId = "bad_client";
 	private Set<String> scope = Sets.newHashSet("openid", "profile", "email", "offline_access");
 	private OAuth2RefreshTokenEntity refreshToken;
 	private String refreshTokenValue = "refresh_token_value";
@@ -119,6 +121,10 @@ public class TestDefaultOAuth2ProviderTokenService {
 
 		// by default in tests, allow refresh tokens
 		Mockito.when(client.isAllowRefresh()).thenReturn(true);
+		
+		badClient = Mockito.mock(ClientDetailsEntity.class);
+		Mockito.when(badClient.getClientId()).thenReturn(badClientId);
+		Mockito.when(clientDetailsService.loadClientByClientId(badClientId)).thenReturn(badClient);		
 
 		refreshToken = Mockito.mock(OAuth2RefreshTokenEntity.class);
 		Mockito.when(tokenRepository.getRefreshTokenByValue(refreshTokenValue)).thenReturn(refreshToken);
@@ -313,6 +319,14 @@ public class TestDefaultOAuth2ProviderTokenService {
 		service.refreshAccessToken(refreshTokenValue, tokenRequest);
 	}
 
+	@Test(expected = InvalidClientException.class)
+	public void refreshAccessToken_clientMismatch() {
+
+		tokenRequest = new TokenRequest(null, badClientId, null, null);
+
+		service.refreshAccessToken(refreshTokenValue, tokenRequest);
+	}
+	
 	@Test(expected = InvalidTokenException.class)
 	public void refreshAccessToken_expired() {