Skip to content

Commit

Permalink
Merge branch '1.3.x'
Browse files Browse the repository at this point in the history
  • Loading branch information
@jgrandja
jgrandja committed Aug 2, 2024
2 parents 4bfabf5 + f56ac53 commit c0182f5
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 5 deletions.
13 changes: 8 additions & 5 deletions ...mework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,14 @@ private boolean authenticate(OAuth2ClientAuthenticationToken clientAuthenticatio
}

private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
// @formatter:off
return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
parameters.get(OAuth2ParameterNames.CODE) != null;
// @formatter:on
if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue()
.equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
return false;
}
if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
throwInvalidGrant(OAuth2ParameterNames.CODE);
}
return true;
}

private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {
Expand Down
22 changes: 22 additions & 0 deletions ...er/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,28 @@ public void requestWhenPublicClientWithPkceAndCustomRefreshTokenGeneratorThenRet
.isEqualTo(true);
}

// gh-1680
@Test
public void requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();

RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build();
this.registeredClientRepository.save(registeredClient);

MultiValueMap<String, String> tokenRequestParameters = new LinkedMultiValueMap<>();
tokenRequestParameters.set(OAuth2ParameterNames.GRANT_TYPE,
AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
tokenRequestParameters.set(OAuth2ParameterNames.CODE, "");
tokenRequestParameters.set(OAuth2ParameterNames.REDIRECT_URI,
registeredClient.getRedirectUris().iterator().next());

this.mvc
.perform(post(DEFAULT_TOKEN_ENDPOINT_URI).params(tokenRequestParameters)
.param(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
.param(PkceParameterNames.CODE_VERIFIER, S256_CODE_VERIFIER))
.andExpect(status().isBadRequest());
}

@Test
public void requestWhenConfidentialClientWithPkceAndMissingCodeVerifierThenBadRequest() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
Expand Down

0 comments on commit c0182f5

Please sign in to comment.