redirect error on prompt=none, addresses #667

2015-03-12 09:26:38 -04:00 · 2015-03-12 09:26:38 -04:00 · e1fb8272cc
parent 54bec32b7e
commit e1fb8272cc
2 changed files with 38 additions and 4 deletions
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java
@ -20,6 +20,7 @@
 package org.mitre.openid.connect.filter;

 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
@ -33,6 +34,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;

+import org.apache.http.client.utils.URIBuilder;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.openid.connect.web.AuthenticationTimeStamper;
@ -44,15 +46,17 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.GenericFilterBean;

 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;

-import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_HINT;
+import static org.mitre.openid.connect.request.ConnectRequestParameters.*;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.MAX_AGE;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT;
+import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_SEPARATOR;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_LOGIN;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_NONE;

@ -76,6 +80,9 @@ public class AuthorizationRequestFilter extends GenericFilterBean {

 	@Autowired
 	private ClientDetailsEntityService clientService;
+	
+	@Autowired
+	private RedirectResolver redirectResolver;

 	/**
 	 * 
@ -118,7 +125,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
 		if (authRequest.getExtensions().get(PROMPT) != null) {
 			// we have a "prompt" parameter
 			String prompt = (String)authRequest.getExtensions().get(PROMPT);
-			List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
+			List<String> prompts = Splitter.on(PROMPT_SEPARATOR).splitToList(Strings.nullToEmpty(prompt));

 			if (prompts.contains(PROMPT_NONE)) {
 				logger.info("Client requested no prompt");
@ -131,7 +138,32 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
 					chain.doFilter(req, res);
 				} else {
 					// user hasn't been logged in, we need to "return an error"
-					logger.info("User not logged in, no prompt requested, returning 403 from filter");
+					logger.info("User not logged in, no prompt requested, returning error from filter");
+					
+					if (client != null && authRequest.getRedirectUri() != null) {
+						
+						// if we've got a redirect URI then we'll send it 
+						
+						String url = redirectResolver.resolveRedirect(authRequest.getRedirectUri(), client);
+						
+						try {
+							URIBuilder uriBuilder = new URIBuilder(url);
+						
+							uriBuilder.addParameter(ERROR, LOGIN_REQUIRED);
+							if (!Strings.isNullOrEmpty(authRequest.getState())) {
+								uriBuilder.addParameter(STATE, authRequest.getState()); // copy the state parameter if one was given
+							}
+							
+							response.sendRedirect(uriBuilder.toString());
+							return;
+							
+						} catch (URISyntaxException e) {
+							logger.error("Can't build redirect URI for prompt=none, sending error instead", e);
+							response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
+							return;
+						}
+					}
+					
 					response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
 					return;
 				}
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java
@ -24,6 +24,8 @@ public interface ConnectRequestParameters {
 	public String CSRF = "csrf";
 	public String APPROVED_SITE = "approved_site";

-
+	// responses
+	public String ERROR = "error";
+	public String LOGIN_REQUIRED = "login_required";

 }