From f48049be4d777ec538864e695d3084555865b1ff Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 31 Mar 2015 10:26:06 -0400 Subject: [PATCH] deny tickets with no claims required (closes a race condition) --- .../org/mitre/uma/web/AuthorizationRequestEndpoint.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java b/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java index bb5dbfb6d..fc59c1136 100644 --- a/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java @@ -139,6 +139,7 @@ public class AuthorizationRequestEndpoint { Collection claimsUnmatched = new HashSet<>(claimsRequired); // see if each of the required claims has a counterpart in the supplied claims set + // TODO: move this component to a claims checking service (#796) for (Claim required : claimsRequired) { for (Claim supplied : claimsSupplied) { @@ -153,16 +154,17 @@ public class AuthorizationRequestEndpoint { } + } - } } - if (claimsUnmatched.isEmpty()) { + // note that if the required claims are empty we don't want to return a token + if (!claimsRequired.isEmpty() && claimsUnmatched.isEmpty()) { // we matched all the claims, create and return the token - // TODO: move this whole mess to the OIDCTokenService + // TODO: move this whole mess to the OIDCTokenService (#797) OAuth2Authentication o2auth = (OAuth2Authentication) auth;