|
|
@@ -239,14 +239,6 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen
|
|
|
.build();
|
|
|
this.authorizationService.save(authorization);
|
|
|
|
|
|
-// TODO security checks for code parameter
|
|
|
-// The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks.
|
|
|
-// A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
|
|
|
-// The client MUST NOT use the authorization code more than once.
|
|
|
-// If an authorization code is used more than once, the authorization server MUST deny the request
|
|
|
-// and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
|
|
|
-// The authorization code is bound to the client identifier and redirection URI.
|
|
|
-
|
|
|
String redirectUri = authorizationRequest.getRedirectUri();
|
|
|
if (!StringUtils.hasText(redirectUri)) {
|
|
|
redirectUri = registeredClient.getRedirectUris().iterator().next();
|
Joe Grandja