moved CSRF generator to request parser instead of confirmation controller

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java

@@ -26,7 +26,6 @@ import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.UUID;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.SystemScope;
@@ -194,9 +193,7 @@ public class OAuthConfirmationController {
 		}
 		
 		// inject a random value for CSRF purposes
-		String csrf = UUID.randomUUID().toString();
+		model.put("csrf", authRequest.getExtensions().get("csrf"));
-		model.put("csrf", csrf);
-		authRequest.getExtensions().put("csrf", csrf);		
 		
 		return "approve";
 	}

openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java

@@ -22,6 +22,7 @@ import java.text.ParseException;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 
 import org.mitre.jwt.encryption.service.JwtEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
@@ -137,6 +138,13 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 			}
 		}
 
+		
+		// add CSRF protection to the request on first parse
+		String csrf = UUID.randomUUID().toString();
+		request.getExtensions().put("csrf", csrf);		
+
+		
+
 		return request;
 	}