Skip to content

Fix empty code parameter in CodeVerifierAuthenticator#1680

Closed
aijazkeerio wants to merge 2 commits into
spring-projects:mainfrom
aijazkeerio:gb_1671
Closed

Fix empty code parameter in CodeVerifierAuthenticator#1680
aijazkeerio wants to merge 2 commits into
spring-projects:mainfrom
aijazkeerio:gb_1671

Conversation

@aijazkeerio
Copy link
Copy Markdown
Contributor

@aijazkeerio aijazkeerio commented Jul 26, 2024

Fixes #1671

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 26, 2024
@jgrandja jgrandja self-assigned this Aug 1, 2024
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 1, 2024
@jgrandja jgrandja added this to the 1.2.6 milestone Aug 1, 2024
@jgrandja jgrandja mentioned this pull request Aug 1, 2024
Closed
jgrandja
jgrandja requested changes Aug 1, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @aijazkeerio. Please see review comments.

Comment thread ...framework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java Outdated
return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
parameters.get(OAuth2ParameterNames.CODE) != null;
parameters.get(OAuth2ParameterNames.CODE) != null &&
Copy link
Copy Markdown
Collaborator

@jgrandja jgrandja Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the grant type is authorization_code and the code is empty, it should not return false and instead should error.

Try this instead:

if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
	return false;
}
if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
	throwInvalidGrant(OAuth2ParameterNames.CODE);
}
return true;

Copy link
Copy Markdown
Contributor Author

@aijazkeerio aijazkeerio Aug 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please review new changes.
I have removed the formatter:on off, let me know if I should add it back.

Comment thread ...rity/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java Outdated
}

@Test
public void authenticateWhenAuthorizationCodeGrantAndPkceAndValidCodeVerifierAndMissingCodeThenAuthenticated() {
Copy link
Copy Markdown
Collaborator

@jgrandja jgrandja Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove this test and add OAuth2AuthorizationCodeGrantTests.requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest(). You can use requestWhenPublicClientWithPkceThenReturnAccessTokenResponse() as a template and adjust it.

@jgrandja jgrandja changed the title gh_1671 - Empty auth_code parameter in CodeVerifierAuthenticator Fix empty code parameter in CodeVerifierAuthenticator Aug 1, 2024
@jgrandja jgrandja mentioned this pull request Aug 2, 2024
Closed
jgrandja added a commit that referenced this pull request Aug 2, 2024
@jgrandja
Polish gh-1680
1fcd004
@jgrandja jgrandja closed this in 48115fa Aug 2, 2024
@jgrandja
Copy link
Copy Markdown
Collaborator

jgrandja commented Aug 2, 2024

Thanks for the updates @aijazkeerio ! This is now merged.

FYI, I added a polish commit that was mostly formatting changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jgrandja jgrandja jgrandja requested changes

+1 more reviewer

@9527286768 9527286768 9527286768 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jgrandja jgrandja

Labels

type: bug A general bug

Projects

None yet

Milestone

1.2.6

Development

Successfully merging this pull request may close these issues.

Empty auth_code parameter results in 500 on /token

4 participants

@aijazkeerio @jgrandja @9527286768 @spring-projects-issues