Throw an exception if the client specifies another value with "none" for "prompt"
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e2f9b7da Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e2f9b7da Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e2f9b7da Branch: refs/heads/master-jaxrs-2.1 Commit: e2f9b7da6a5e3c9a678c0b45415ac87735bd0494 Parents: 5e11c6d Author: Colm O hEigeartaigh <[email protected]> Authored: Mon May 23 15:03:46 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Mon May 23 15:04:19 2016 +0100 ---------------------------------------------------------------------- .../oidc/idp/OidcAuthorizationCodeService.java | 29 ++++++++++++++++++++ .../security/oidc/idp/OidcImplicitService.java | 18 ++++++++++++ .../jaxrs/security/oidc/OIDCNegativeTest.java | 2 -- 3 files changed, 47 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/e2f9b7da/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java index 9b6f4f8..a4e9ed5 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java @@ -19,19 +19,26 @@ package org.apache.cxf.rs.security.oidc.idp; import java.util.List; +import java.util.logging.Level; import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.common.UserSubject; import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService { + private static final String PROMPT_PARAMETER = "prompt"; + private boolean skipAuthorizationWithOidcScope; @Override protected boolean canAuthorizationBeSkipped(Client client, @@ -47,6 +54,28 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope; } + + @Override + protected Response startAuthorization(MultivaluedMap<String, String> params, + UserSubject userSubject, + Client client) { + // Validate the prompt - if it contains "none" then an error is returned with any other value + String prompt = params.getFirst(PROMPT_PARAMETER); + if (prompt != null) { + String[] promptValues = prompt.trim().split(" "); + if (promptValues.length > 1) { + for (String promptValue : promptValues) { + if ("none".equals(promptValue)) { + LOG.log(Level.FINE, "The prompt value {} is invalid", prompt); + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); + } + } + } + } + + return super.startAuthorization(params, userSubject, client); + } + protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, http://git-wip-us.apache.org/repos/asf/cxf/blob/e2f9b7da/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index 558dfd8..c35526c 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -23,6 +23,7 @@ import java.util.HashSet; import java.util.List; import java.util.Properties; import java.util.Set; +import java.util.logging.Level; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; @@ -48,6 +49,8 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcImplicitService extends ImplicitGrantService { + private static final String PROMPT_PARAMETER = "prompt"; + private boolean skipAuthorizationWithOidcScope; private OAuthJoseJwtProducer idTokenHandler; private IdTokenProvider idTokenProvider; @@ -74,6 +77,21 @@ public class OidcImplicitService extends ImplicitGrantService { LOG.fine("A nonce is required for the Implicit flow"); throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); } + + // Validate the prompt - if it contains "none" then an error is returned with any other value + String prompt = params.getFirst(PROMPT_PARAMETER); + if (prompt != null) { + String[] promptValues = prompt.trim().split(" "); + if (promptValues.length > 1) { + for (String promptValue : promptValues) { + if ("none".equals(promptValue)) { + LOG.log(Level.FINE, "The prompt value {} is invalid", prompt); + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); + } + } + } + } + return super.startAuthorization(params, userSubject, client); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e2f9b7da/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java index 3f5d247..d24576b 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java @@ -60,9 +60,7 @@ public class OIDCNegativeTest extends AbstractBusClientServerTestBase { ); } - // TODO @org.junit.Test - @org.junit.Ignore public void testImplicitFlowPromptNone() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml");
