generate random fake password for private key clients and shared secret crypto clients to avoid accidentally using client secret authentication and bypassing authentication, closes #715

10 years ago · d26eb88faa
parent 73a626815b
commit d26eb88faa
1 changed files with 20 additions and 6 deletions
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
@ -16,9 +16,14 @@
 ******************************************************************************/
 package org.mitre.oauth2.service.impl;

+import java.math.BigInteger;
+import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collection;

+import org.mitre.oauth2.model.ClientDetailsEntity;
+import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
+import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -26,8 +31,6 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.oauth2.provider.ClientDetails;
-import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.stereotype.Service;

 import com.google.common.base.Strings;
@ -42,16 +45,27 @@ import com.google.common.base.Strings;
 public class DefaultClientUserDetailsService implements UserDetailsService {

 	@Autowired
-	private ClientDetailsService clientDetailsService;
+	private ClientDetailsEntityService clientDetailsService;

 	@Override
 	public UserDetails loadUserByUsername(String clientId) throws  UsernameNotFoundException {

-		ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
+		ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientId);

 		if (client != null) {

 			String password = Strings.nullToEmpty(client.getClientSecret());
+			
+			if (client.getTokenEndpointAuthMethod() != null && 
+					(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
+							client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
+				
+				// Issue a random password each time to prevent password auth from being used (or skipped) 
+				// for private key or shared key clients, see #715
+				
+				password = new BigInteger(512, new SecureRandom()).toString(16);
+			}
+			
 			boolean enabled = true;
 			boolean accountNonExpired = true;
 			boolean credentialsNonExpired = true;
@ -72,11 +86,11 @@ public class DefaultClientUserDetailsService implements UserDetailsService {

 	}

-	public ClientDetailsService getClientDetailsService() {
+	public ClientDetailsEntityService getClientDetailsService() {
 		return clientDetailsService;
 	}

-	public void setClientDetailsService(ClientDetailsService clientDetailsService) {
+	public void setClientDetailsService(ClientDetailsEntityService clientDetailsService) {
 		this.clientDetailsService = clientDetailsService;
 	}