From dcf36234c4caa22143203c8e3e134c9d156ee350 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Tue, 13 May 2014 09:48:34 -0400
Subject: [PATCH] moved CSRF generator to request parser instead of
 confirmation controller

---
 .../org/mitre/oauth2/web/OAuthConfirmationController.java | 5 +----
 .../mitre/openid/connect/ConnectOAuth2RequestFactory.java | 8 ++++++++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
index 5f75648da..af5e69673 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
@@ -26,7 +26,6 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.UUID;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.SystemScope;
@@ -194,9 +193,7 @@ public class OAuthConfirmationController {
 		}
 		
 		// inject a random value for CSRF purposes
-		String csrf = UUID.randomUUID().toString();
-		model.put("csrf", csrf);
-		authRequest.getExtensions().put("csrf", csrf);		
+		model.put("csrf", authRequest.getExtensions().get("csrf"));
 		
 		return "approve";
 	}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
index 74ea5fcda..dd023e814 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
@@ -22,6 +22,7 @@ import java.text.ParseException;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 
 import org.mitre.jwt.encryption.service.JwtEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
@@ -137,6 +138,13 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 			}
 		}
 
+		
+		// add CSRF protection to the request on first parse
+		String csrf = UUID.randomUUID().toString();
+		request.getExtensions().put("csrf", csrf);		
+
+		
+
 		return request;
 	}