[
https://issues.apache.org/jira/browse/CXF-5395?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-5395.
-----------------------------------
Resolution: Fixed
Fix Version/s: 3.0.0-milestone1
2.7.8
Assignee: Sergey Beryozkin
> ImplicitGrantService always redirect to broken redirect url
> -----------------------------------------------------------
>
> Key: CXF-5395
> URL: https://issues.apache.org/jira/browse/CXF-5395
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.7
> Environment: irrelevant
> Reporter: Jason Wang
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.7.8, 3.0.0-milestone1
>
>
> org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a
> redirectURL based on the input given to createGrant method, and redirect to
> such url.
> I have discovered 2 issues with the building of the URL.
> 1. "state" is added as a fragment, not a query parameter, whereas token got
> added as a query parameter. According to the spec, only the access token
> should be appended as the fragment.
> See http://tools.ietf.org/html/rfc6749#section-4.2.2
> Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
> &state=xyz&token_type=example&expires_in=3600
> Actual output:
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
> &token_type=example&expires_in=3600
> 2.if there are more than one OauthPermissions in the token, the
> OAuthUtils.convertPermissionsToScope method will simply join the them with
> space. For example if perms are "read" and "write", the built url will be
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
> &token_type=example&expires_in=3600&scope=read write
> Spaces are not escaped.
> With those two bugs, especially the 1st one, there is no way to get oauth2
> implicit flow to work with the current version of CXF.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
