From ec6a78c1baef51cda664e0383792146c2f2dd67a Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Sun, 16 Feb 2014 01:41:08 -0500
Subject: [PATCH] made prompt pluralizable to comply with spec, closes #519

---
 .../mitre/oauth2/web/OAuthConfirmationController.java    | 5 ++++-
 .../org/mitre/openid/connect/filter/PromptFilter.java    | 9 +++++++--
 .../openid/connect/token/TofuUserApprovalHandler.java    | 5 ++++-
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
index 3750ca9de..fc8d8c9e9 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java
@@ -45,6 +45,8 @@ import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.SessionAttributes;
 
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
 import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Multimap;
@@ -90,7 +92,8 @@ public class OAuthConfirmationController {
 		// Check the "prompt" parameter to see if we need to do special processing
 
 		String prompt = (String)clientAuth.getExtensions().get("prompt");
-		if ("none".equals(prompt)) {
+		List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
+		if (prompts.contains("none")) {
 			// we're not supposed to prompt, so "return an error"
 			logger.info("Client requested no prompt, returning 403 from confirmation endpoint");
 			model.put("code", HttpStatus.FORBIDDEN);
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java
index 7464332e1..f7c554bab 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java
@@ -22,6 +22,7 @@ package org.mitre.openid.connect.filter;
 import java.io.IOException;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import javax.servlet.FilterChain;
@@ -43,6 +44,9 @@ import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.GenericFilterBean;
 
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+
 /**
  * @author jricher
  *
@@ -72,8 +76,9 @@ public class PromptFilter extends GenericFilterBean {
 		if (authRequest.getExtensions().get("prompt") != null) {
 			// we have a "prompt" parameter
 			String prompt = (String)authRequest.getExtensions().get("prompt");
+			List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
 
-			if (prompt.equals("none")) {
+			if (prompts.contains("none")) {
 				logger.info("Client requested no prompt");
 				// see if the user's logged in
 				Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@@ -88,7 +93,7 @@ public class PromptFilter extends GenericFilterBean {
 					response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
 					return;
 				}
-			} else if (prompt.equals("login")) {
+			} else if (prompts.contains("login")) {
 
 				// first see if the user's already been prompted in this session
 				HttpSession session = request.getSession();
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
index f35191ffb..dfbdb30f7 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
@@ -19,6 +19,7 @@ package org.mitre.openid.connect.token;
 import java.util.Calendar;
 import java.util.Collection;
 import java.util.Date;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -41,6 +42,7 @@ import org.springframework.stereotype.Component;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
+import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
 
@@ -127,7 +129,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 
 		// find out if we're supposed to force a prompt on the user or not
 		String prompt = (String) authorizationRequest.getExtensions().get("prompt");
-		if (!"consent".equals(prompt)) {
+		List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));
+		if (!prompts.contains("consent")) {
 			// if the prompt parameter is set to "consent" then we can't use approved sites or whitelisted sites
 			// otherwise, we need to check them below