From bdcc6af096426dc618f2993b484a7f2c003e61d0 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 10 Dec 2012 11:40:03 -0500 Subject: [PATCH] temporary sanity check for client ID's --- .../java/org/mitre/oauth2/token/ChainedTokenGranter.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java index a8b3a4630..bd34fae66 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java @@ -12,6 +12,7 @@ import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.common.OAuth2AccessToken; +import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.exceptions.InvalidScopeException; import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.provider.AuthorizationRequest; @@ -76,6 +77,12 @@ public class ChainedTokenGranter extends AbstractTokenGranter { requestedScopes = new HashSet(); } + // Check the incoming client id against the client that was issued the original token + // TODO: right now, this only lets a client chain a request, not a resource server. We need + // a way to let one client get a token chained from another client's token, securely. + if (!client.getClientId().equals(authorizationRequest.getClientId())) { + throw new InvalidClientException("Not the right client for this token"); + } // if our scopes are a valid subset of what's allowed, we can continue if (approvedScopes.containsAll(requestedScopes)) {