From cac645484f312db7c87aca69d606766b309dc52c Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 9 Jun 2014 16:00:55 -0400 Subject: [PATCH] client API now generates client secret only for clients that require a client secret --- .../mitre/openid/connect/web/ClientAPI.java | 45 ++++++++++++++----- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java index d3620120f..01be5712f 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java @@ -23,6 +23,7 @@ import org.mitre.jose.JWEAlgorithmEmbed; import org.mitre.jose.JWEEncryptionMethodEmbed; import org.mitre.jose.JWSAlgorithmEmbed; import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.openid.connect.model.UserInfo; import org.mitre.openid.connect.service.UserInfoService; @@ -158,14 +159,26 @@ public class ClientAPI { // if they leave the client identifier empty, force it to be generated if (Strings.isNullOrEmpty(client.getClientId())) { client = clientService.generateClientId(client); + } + + if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) + || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) + || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { + + // if they've asked for us to generate a client secret (or they left it blank but require one), do so here + if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean() + || Strings.isNullOrEmpty(client.getClientSecret())) { + client = clientService.generateClientSecret(client); + } + + } else { + // otherwise (PRIVATE_KEY or NONE), we shouldn't have a secret for this client + + client.setClientSecret(null); + } - // if they've asked for us to generate a client secret, do so here - if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean()) { - client = clientService.generateClientSecret(client); - } - - // set owners as current logged in user + // set owners as current logged in user if owners aren't set otherwise // try to look up a user based on the principal's name if (client.getContacts() == null || client.getContacts().isEmpty()) { UserInfo user = userInfoService.getByUsername(auth.getName()); @@ -232,12 +245,24 @@ public class ClientAPI { client = clientService.generateClientId(client); } - // if they've asked for us to generate a client secret, do so here - if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean()) { - client = clientService.generateClientSecret(client); + if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) + || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) + || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { + + // if they've asked for us to generate a client secret (or they left it blank but require one), do so here + if (json.has("generateClientSecret") && json.get("generateClientSecret").getAsBoolean() + || Strings.isNullOrEmpty(client.getClientSecret())) { + client = clientService.generateClientSecret(client); + } + + } else { + // otherwise (PRIVATE_KEY or NONE), we shouldn't have a secret for this client + + client.setClientSecret(null); + } - // set owners as current logged in user + // set owners as current logged in user if owners aren't set otherwise // try to look up a user based on the principal's name if (client.getContacts() == null || client.getContacts().isEmpty()) { UserInfo user = userInfoService.getByUsername(auth.getName());