Skip to content

Commit 7b34a66

Browse files
Cosmin Cojocarjricher
Cosmin Cojocar
authored and
jricher
committed
Make the dual client support configurable
1 parent a80953a commit 7b34a66

File tree

3 files changed

+40
-8
lines changed

3 files changed

+40
-8
lines changed

openid-connect-common/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,9 @@ public class ConfigurationPropertiesBean {
5656

5757
private Locale locale = Locale.ENGLISH; // we default to the english translation
5858

59-
public ConfigurationPropertiesBean() {
59+
public boolean dualClient = false;
60+
61+
public ConfigurationPropertiesBean() {
6062

6163
}
6264

@@ -168,4 +170,18 @@ public Locale getLocale() {
168170
public void setLocale(Locale locale) {
169171
this.locale = locale;
170172
}
173+
174+
/**
175+
* @return true if dual client is configured, otherwise false
176+
*/
177+
public boolean isDualClient() {
178+
return dualClient;
179+
}
180+
181+
/**
182+
* @param dualClient the dual client configuration
183+
*/
184+
public void setDualClient(boolean dualClient) {
185+
this.dualClient = dualClient;
186+
}
171187
}

openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,10 @@
4949
<!-- This property sets the locale for server text -->
5050
<!-- <property name="locale" value="sv" /> -->
5151

52+
<!-- This property indicates if a dynamically registered client supports dual flows, such as client_credentials
53+
at the same time with authorization_code or implicit -->
54+
<property name="dualClient" value="false"/>
55+
5256
</bean>
5357

5458
</beans>

openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -394,11 +394,14 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
394394
// set default grant types if needed
395395
if (newClient.getGrantTypes() == null || newClient.getGrantTypes().isEmpty()) {
396396
if (newClient.getScope().contains("offline_access")) { // client asked for offline access
397-
// allow authorization code, client credentials and refresh token grant types by default
398-
newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials", "refresh_token"));
397+
newClient.setGrantTypes(Sets.newHashSet("authorization_code", "refresh_token")); // allow authorization code and refresh token grant types by default
399398
} else {
400-
// allow authorization code grant type by default
401-
newClient.setGrantTypes(Sets.newHashSet("authorization_code", "client_credentials"));
399+
newClient.setGrantTypes(Sets.newHashSet("authorization_code")); // allow authorization code grant type by default
400+
}
401+
if (config.isDualClient()) {
402+
Set<String> extendedGrandTypes = newClient.getGrantTypes();
403+
extendedGrandTypes.add("client_credentials");
404+
newClient.setGrantTypes(extendedGrandTypes);
402405
}
403406
}
404407

@@ -420,7 +423,8 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
420423
if (newClient.getGrantTypes().contains("authorization_code")) {
421424

422425
// check for incompatible grants
423-
if (newClient.getGrantTypes().contains("implicit")) {
426+
if (newClient.getGrantTypes().contains("implicit") ||
427+
(!config.isDualClient() && newClient.getGrantTypes().contains("client_credentials"))) {
424428
// return an error, you can't have these grant types together
425429
throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
426430
}
@@ -436,7 +440,8 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
436440
if (newClient.getGrantTypes().contains("implicit")) {
437441

438442
// check for incompatible grants
439-
if (newClient.getGrantTypes().contains("authorization_code")) {
443+
if (newClient.getGrantTypes().contains("authorization_code") ||
444+
(!config.isDualClient() && newClient.getGrantTypes().contains("client_credentials"))) {
440445
// return an error, you can't have these grant types together
441446
throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
442447
}
@@ -454,7 +459,14 @@ private ClientDetailsEntity validateGrantTypes(ClientDetailsEntity newClient) th
454459
}
455460

456461
if (newClient.getGrantTypes().contains("client_credentials")) {
457-
462+
463+
// check for incompatible grants
464+
if (!config.isDualClient() &&
465+
(newClient.getGrantTypes().contains("authorization_code") || newClient.getGrantTypes().contains("implicit"))) {
466+
// return an error, you can't have these grant types together
467+
throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
468+
}
469+
458470
if (!newClient.getResponseTypes().isEmpty()) {
459471
// return an error, you can't have this grant type and response type together
460472
throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);

0 commit comments

Comments
 (0)