diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java index 23e8a2367..8a7dc32aa 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java @@ -20,6 +20,7 @@ package org.mitre.openid.connect.filter; import java.io.IOException; +import java.net.URISyntaxException; import java.util.Date; import java.util.HashMap; import java.util.List; @@ -33,6 +34,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import org.apache.http.client.utils.URIBuilder; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.openid.connect.web.AuthenticationTimeStamper; @@ -44,15 +46,17 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; +import org.springframework.security.oauth2.provider.endpoint.RedirectResolver; import org.springframework.stereotype.Component; import org.springframework.web.filter.GenericFilterBean; import com.google.common.base.Splitter; import com.google.common.base.Strings; -import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_HINT; +import static org.mitre.openid.connect.request.ConnectRequestParameters.*; import static org.mitre.openid.connect.request.ConnectRequestParameters.MAX_AGE; import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT; +import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_SEPARATOR; import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_LOGIN; import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_NONE; @@ -76,6 +80,9 @@ public class AuthorizationRequestFilter extends GenericFilterBean { @Autowired private ClientDetailsEntityService clientService; + + @Autowired + private RedirectResolver redirectResolver; /** * @@ -118,7 +125,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean { if (authRequest.getExtensions().get(PROMPT) != null) { // we have a "prompt" parameter String prompt = (String)authRequest.getExtensions().get(PROMPT); - List prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt)); + List prompts = Splitter.on(PROMPT_SEPARATOR).splitToList(Strings.nullToEmpty(prompt)); if (prompts.contains(PROMPT_NONE)) { logger.info("Client requested no prompt"); @@ -131,7 +138,32 @@ public class AuthorizationRequestFilter extends GenericFilterBean { chain.doFilter(req, res); } else { // user hasn't been logged in, we need to "return an error" - logger.info("User not logged in, no prompt requested, returning 403 from filter"); + logger.info("User not logged in, no prompt requested, returning error from filter"); + + if (client != null && authRequest.getRedirectUri() != null) { + + // if we've got a redirect URI then we'll send it + + String url = redirectResolver.resolveRedirect(authRequest.getRedirectUri(), client); + + try { + URIBuilder uriBuilder = new URIBuilder(url); + + uriBuilder.addParameter(ERROR, LOGIN_REQUIRED); + if (!Strings.isNullOrEmpty(authRequest.getState())) { + uriBuilder.addParameter(STATE, authRequest.getState()); // copy the state parameter if one was given + } + + response.sendRedirect(uriBuilder.toString()); + return; + + } catch (URISyntaxException e) { + logger.error("Can't build redirect URI for prompt=none, sending error instead", e); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied"); + return; + } + } + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied"); return; } diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java index b82cf20fc..ab070dae7 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java @@ -24,6 +24,8 @@ public interface ConnectRequestParameters { public String CSRF = "csrf"; public String APPROVED_SITE = "approved_site"; - + // responses + public String ERROR = "error"; + public String LOGIN_REQUIRED = "login_required"; }