Fix empty code parameter in CodeVerifierAuthenticator

Closes gh-1680
spring-projects · Aug 2, 2024 · 48115fa · 48115fa
1 parent 72d7fb1
commit 48115fa
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/...mework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java b/...mework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java
@@ -137,11 +137,16 @@ private boolean authenticate(OAuth2ClientAuthenticationToken clientAuthenticatio
 	}
 
 	private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
-		// @formatter:off
-		return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
-				parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
-				parameters.get(OAuth2ParameterNames.CODE) != null;
-		// @formatter:on
+
+		if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
+			return false;
+		}
+
+		if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
+			throwInvalidGrant(OAuth2ParameterNames.CODE);
+		}
+
+		return true;
 	}
 
 	private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {

diff --git a/...y/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java b/...y/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java
@@ -46,6 +46,7 @@
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
 /**

diff --git a/...er/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java b/...er/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
@@ -25,6 +25,7 @@
 import java.time.temporal.ChronoUnit;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -71,6 +72,7 @@
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
@@ -98,6 +100,7 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationContext;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
@@ -515,6 +518,28 @@ public void requestWhenPublicClientWithPkceAndCustomRefreshTokenGeneratorThenRet
 			.isEqualTo(true);
 	}
 
+	@Test
+	public void requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest() throws Exception {
+		this.spring.register(AuthorizationServerConfiguration.class).autowire();
+
+		RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build();
+		this.registeredClientRepository.save(registeredClient);
+
+		MultiValueMap<String, String> tokenRequestParameters = new LinkedMultiValueMap<>();
+		tokenRequestParameters.set(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
+		tokenRequestParameters.set(OAuth2ParameterNames.CODE, "");
+		tokenRequestParameters.set(OAuth2ParameterNames.REDIRECT_URI, registeredClient.getRedirectUris().iterator().next());
+
+		this.mvc
+				.perform(post(DEFAULT_TOKEN_ENDPOINT_URI)
+						.params(tokenRequestParameters)
+						.param(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
+						.param(PkceParameterNames.CODE_VERIFIER, S256_CODE_VERIFIER))
+				.andExpect(header().string(HttpHeaders.CACHE_CONTROL, containsString("no-store")))
+				.andExpect(header().string(HttpHeaders.PRAGMA, containsString("no-cache")))
+				.andExpect(status().isBadRequest());
+	}
+
 	@Test
 	public void requestWhenConfidentialClientWithPkceAndMissingCodeVerifierThenBadRequest() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();