Validate Authorization Response

Fixes gh-4657, Issue gh-4654
This commit is contained in:
Joe Grandja 2017-10-20 16:56:13 -04:00
parent d152a2e2c1
commit eb2b573426
1 changed files with 7 additions and 6 deletions

View File

@ -25,6 +25,7 @@ import org.springframework.security.oauth2.client.authentication.OAuth2ClientAut
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCode;
import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
@ -95,6 +96,12 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
if (!this.authorizationResponseSuccess(request) && !this.authorizationResponseError(request)) {
OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCode.INVALID_REQUEST);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
AuthorizationResponse authorizationResponse = this.convert(request);
AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.loadAuthorizationRequest(request);
if (authorizationRequest == null) {
OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
@ -102,8 +109,6 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
}
this.authorizationRequestRepository.removeAuthorizationRequest(request);
AuthorizationResponse authorizationResponse = this.convert(request);
String registrationId = (String)authorizationRequest.getAdditionalParameters().get(OAuth2Parameter.REGISTRATION_ID);
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
@ -144,10 +149,6 @@ public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticatio
}
private AuthorizationResponse convert(HttpServletRequest request) {
if (!this.authorizationResponseSuccess(request) && !this.authorizationResponseError(request)) {
return null;
}
String code = request.getParameter(OAuth2Parameter.CODE);
String errorCode = request.getParameter(OAuth2Parameter.ERROR);
String state = request.getParameter(OAuth2Parameter.STATE);