首页 发现 帮助
注册 登录
github
/
spring-authorization-server
镜像自地址 https://github.com/spring-projects/spring-authorization-server
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

Validate code_challenge_method parameter

Issue gh-756

Closes gh-770
Joe Grandja 3 年之前
父节点
0cae3c693e
当前提交
7dfdcf3a27
共有 2 个文件被更改,包括 23 次插入5 次删除
分列视图 显示文件统计
  1. 3 5
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
  2. 20 0
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProviderTests.java

+ 3 - 5
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
查看文件 

@@ -209,11 +209,9 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen
 
 		String codeChallenge = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE);
 
 		if (StringUtils.hasText(codeChallenge)) {
 
 			String codeChallengeMethod = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE_METHOD);
 
-			if (StringUtils.hasText(codeChallengeMethod)) {
 
-				if (!"S256".equals(codeChallengeMethod)) {
 
-					throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI,
 
-							authorizationCodeRequestAuthentication, registeredClient, null);
 
-				}
 
+			if (!StringUtils.hasText(codeChallengeMethod) || !"S256".equals(codeChallengeMethod)) {
 
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI,
 
+						authorizationCodeRequestAuthentication, registeredClient, null);
 
 			}
 
 		} else if (registeredClient.getClientSettings().isRequireProofKey()) {
 
 			throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE, PKCE_ERROR_URI,

+ 20 - 0
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProviderTests.java
查看文件 

@@ -377,6 +377,26 @@ public class OAuth2AuthorizationCodeRequestAuthenticationProviderTests {
 
 				);
 
 	}
 
 
+	// gh-770
 
+	@Test
 
+	public void authenticateWhenPkceMissingCodeChallengeMethodThenThrowOAuth2AuthorizationCodeRequestAuthenticationException() {
 
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
+		when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId())))
 
+				.thenReturn(registeredClient);
 
+		Map<String, Object> additionalParameters = new HashMap<>();
 
+		additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, "code-challenge");
 
+		OAuth2AuthorizationCodeRequestAuthenticationToken authentication =
 
+				authorizationCodeRequestAuthentication(registeredClient, this.principal)
 
+						.additionalParameters(additionalParameters)
 
+						.build();
 
+		assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
 
+				.isInstanceOf(OAuth2AuthorizationCodeRequestAuthenticationException.class)
 
+				.satisfies(ex ->
 
+						assertAuthenticationException((OAuth2AuthorizationCodeRequestAuthenticationException) ex,
 
+								OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, authentication.getRedirectUri())
 
+				);
 
+	}
 
+
 
 	@Test
 
 	public void authenticateWhenPrincipalNotAuthenticatedThenReturnAuthorizationCodeRequest() {
 
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();