Skip to content

Fix empty code parameter in CodeVerifierAuthenticator #1680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix empty code parameter in CodeVerifierAuthenticator #1680

wants to merge 2 commits into from

Conversation

aijazkeerio
Copy link
Contributor

Fixes #1671

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 26, 2024
@jgrandja jgrandja self-assigned this Aug 1, 2024
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 1, 2024
@jgrandja jgrandja added this to the 1.2.6 milestone Aug 1, 2024
@jgrandja jgrandja mentioned this pull request Aug 1, 2024
Closed
jgrandja
jgrandja requested changes Aug 1, 2024
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @aijazkeerio. Please see review comments.

...framework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java Outdated
@@ -140,7 +140,8 @@ private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
// @formatter:off
return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
parameters.get(OAuth2ParameterNames.CODE) != null;
parameters.get(OAuth2ParameterNames.CODE) != null &&
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the grant type is authorization_code and the code is empty, it should not return false and instead should error.

Try this instead:

if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
	return false;
}
if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
	throwInvalidGrant(OAuth2ParameterNames.CODE);
}
return true;

Copy link
Contributor Author

@aijazkeerio aijazkeerio Aug 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review new changes.
I have removed the formatter:on off, let me know if I should add it back.

...rity/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java Outdated
@@ -282,6 +283,29 @@ public void authenticateWhenAuthorizationCodeGrantAndValidCredentialsThenAuthent
assertThat(authenticationResult.getRegisteredClient()).isEqualTo(registeredClient);
}

@Test
public void authenticateWhenAuthorizationCodeGrantAndPkceAndValidCodeVerifierAndMissingCodeThenAuthenticated() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove this test and add OAuth2AuthorizationCodeGrantTests.requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest(). You can use requestWhenPublicClientWithPkceThenReturnAccessTokenResponse() as a template and adjust it.

@jgrandja jgrandja changed the title gh_1671 - Empty auth_code parameter in CodeVerifierAuthenticator Fix empty code parameter in CodeVerifierAuthenticator Aug 1, 2024
@jgrandja jgrandja mentioned this pull request Aug 2, 2024
Closed
jgrandja added a commit that referenced this pull request Aug 2, 2024
@jgrandja
Polish gh-1680
1fcd004
@jgrandja jgrandja closed this in 48115fa Aug 2, 2024
@jgrandja
Copy link
Collaborator

jgrandja commented Aug 2, 2024

Thanks for the updates @aijazkeerio ! This is now merged.

FYI, I added a polish commit that was mostly formatting changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja jgrandja requested changes

@9527286768 9527286768 9527286768 approved these changes

Assignees

@jgrandja jgrandja

Labels
type: bug A general bug
Projects
None yet
Milestone
1.2.6
Development

Successfully merging this pull request may close these issues.

Empty auth_code parameter results in 500 on /token
4 participants
@aijazkeerio @jgrandja @9527286768 @spring-projects-issues