Merge branch '1.3.x'
This commit is contained in:
@@ -137,11 +137,14 @@ final class CodeVerifierAuthenticator {
|
||||
}
|
||||
|
||||
private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
|
||||
// @formatter:off
|
||||
return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
|
||||
parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
|
||||
parameters.get(OAuth2ParameterNames.CODE) != null;
|
||||
// @formatter:on
|
||||
if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue()
|
||||
.equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
|
||||
return false;
|
||||
}
|
||||
if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
|
||||
throwInvalidGrant(OAuth2ParameterNames.CODE);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {
|
||||
|
||||
@@ -515,6 +515,28 @@ public class OAuth2AuthorizationCodeGrantTests {
|
||||
.isEqualTo(true);
|
||||
}
|
||||
|
||||
// gh-1680
|
||||
@Test
|
||||
public void requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest() throws Exception {
|
||||
this.spring.register(AuthorizationServerConfiguration.class).autowire();
|
||||
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build();
|
||||
this.registeredClientRepository.save(registeredClient);
|
||||
|
||||
MultiValueMap<String, String> tokenRequestParameters = new LinkedMultiValueMap<>();
|
||||
tokenRequestParameters.set(OAuth2ParameterNames.GRANT_TYPE,
|
||||
AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
|
||||
tokenRequestParameters.set(OAuth2ParameterNames.CODE, "");
|
||||
tokenRequestParameters.set(OAuth2ParameterNames.REDIRECT_URI,
|
||||
registeredClient.getRedirectUris().iterator().next());
|
||||
|
||||
this.mvc
|
||||
.perform(post(DEFAULT_TOKEN_ENDPOINT_URI).params(tokenRequestParameters)
|
||||
.param(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
|
||||
.param(PkceParameterNames.CODE_VERIFIER, S256_CODE_VERIFIER))
|
||||
.andExpect(status().isBadRequest());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenConfidentialClientWithPkceAndMissingCodeVerifierThenBadRequest() throws Exception {
|
||||
this.spring.register(AuthorizationServerConfiguration.class).autowire();
|
||||
|
||||
Reference in New Issue
Block a user