moved CSRF generator to request parser instead of confirmation controller

11 years ago · dcf36234c4
parent a253ebc908
commit dcf36234c4
2 changed files with 9 additions and 4 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
@ -26,7 +26,6 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.UUID;

 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.SystemScope;
@ -194,9 +193,7 @@ public class OAuthConfirmationController {
 		}
 		
 		// inject a random value for CSRF purposes
-		String csrf = UUID.randomUUID().toString();
-		model.put("csrf", csrf);
-		authRequest.getExtensions().put("csrf", csrf);		
+		model.put("csrf", authRequest.getExtensions().get("csrf"));
 		
 		return "approve";
 	}
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
@ -22,6 +22,7 @@ import java.text.ParseException;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;

 import org.mitre.jwt.encryption.service.JwtEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
@ -137,6 +138,13 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 			}
 		}

+		
+		// add CSRF protection to the request on first parse
+		String csrf = UUID.randomUUID().toString();
+		request.getExtensions().put("csrf", csrf);		
+
+		
+
 		return request;
 	}