Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-20 17:28:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disallow usage of the openid scope in device authorization requests

Browse Source 
Issue https://github.com/spring-projects/spring-authorization-server/pull/2177
This commit is contained in:
Joe Grandja 2025-10-17 11:41:30 -04:00
parent 0d261e9c32
commit 4b810a8971
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java
View File

@ -40,6 +40,7 @@ import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2UserCode;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
@ -121,6 +122,9 @@ public final class OAuth2DeviceAuthorizationRequestAuthenticationProvider implem
throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE);
}
}
if (requestedScopes.contains(OidcScopes.OPENID)) {
throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE);
}
}
if (this.logger.isTraceEnabled()) {

18
oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProviderTests.java
View File

@ -35,6 +35,7 @@ import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2UserCode;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
@ -166,6 +167,23 @@ public class OAuth2DeviceAuthorizationRequestAuthenticationProviderTests {
// @formatter:on
}
@Test
public void authenticateWhenOpenIdScopeThenThrowOAuth2AuthenticationException() {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
.authorizationGrantType(AuthorizationGrantType.DEVICE_CODE)
.scope(OidcScopes.OPENID)
.build();
Authentication authentication = createAuthentication(registeredClient);
// @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.withMessageContaining(OAuth2ParameterNames.SCOPE)
.extracting(OAuth2AuthenticationException::getError)
.extracting(OAuth2Error::getErrorCode)
.isEqualTo(OAuth2ErrorCodes.INVALID_SCOPE);
// @formatter:on
}
@Test
public void authenticateWhenDeviceCodeIsNullThenThrowOAuth2AuthenticationException() {
@SuppressWarnings("unchecked")