Merge branch '1.3.x'

This commit is contained in:
Joe Grandja
2024-08-02 15:00:11 -04:00
2 changed files with 30 additions and 5 deletions

View File

@@ -137,11 +137,14 @@ final class CodeVerifierAuthenticator {
}
private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
// @formatter:off
return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
parameters.get(OAuth2ParameterNames.CODE) != null;
// @formatter:on
if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue()
.equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
return false;
}
if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
throwInvalidGrant(OAuth2ParameterNames.CODE);
}
return true;
}
private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {

View File

@@ -515,6 +515,28 @@ public class OAuth2AuthorizationCodeGrantTests {
.isEqualTo(true);
}
// gh-1680
@Test
public void requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build();
this.registeredClientRepository.save(registeredClient);
MultiValueMap<String, String> tokenRequestParameters = new LinkedMultiValueMap<>();
tokenRequestParameters.set(OAuth2ParameterNames.GRANT_TYPE,
AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
tokenRequestParameters.set(OAuth2ParameterNames.CODE, "");
tokenRequestParameters.set(OAuth2ParameterNames.REDIRECT_URI,
registeredClient.getRedirectUris().iterator().next());
this.mvc
.perform(post(DEFAULT_TOKEN_ENDPOINT_URI).params(tokenRequestParameters)
.param(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
.param(PkceParameterNames.CODE_VERIFIER, S256_CODE_VERIFIER))
.andExpect(status().isBadRequest());
}
@Test
public void requestWhenConfidentialClientWithPkceAndMissingCodeVerifierThenBadRequest() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();