This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.2.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 28bdc918221aa790979b98cb304651886d5983d0 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Wed Sep 18 12:19:24 2019 +0100 Enforce the access token has an openid scope for the UserInfo endpoint (cherry picked from commit 5e1a2a2257535e957b52ee721a81b741800a3171) (cherry picked from commit 661c271f4890b05896eee5de9cb8fb503fb3bccb) --- .../org/apache/cxf/rs/security/oidc/idp/UserInfoService.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java index 385fb6c..78e25f9 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java @@ -32,12 +32,14 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.jose.jwt.JwtUtils; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthContext; +import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider; import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer; import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.rs.security.oidc.common.UserInfo; +import org.apache.cxf.rs.security.oidc.utils.OidcUtils; @Path("/userinfo") public class UserInfoService extends OAuthServerJoseJwtProducer { @@ -51,6 +53,14 @@ public class UserInfoService extends OAuthServerJoseJwtProducer { @Produces({"application/json", "application/jwt" }) public Response getUserInfo() { OAuthContext oauth = OAuthContextUtils.getContext(mc); + + // Check the access token has the "openid" scope + if (!oauth.getPermissions().stream() + .map(OAuthPermission::getPermission) + .anyMatch(OidcUtils.OPENID_SCOPE::equals)) { + Response.status(401); + } + UserInfo userInfo = null; if (userInfoProvider != null) { userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(),