moved CSRF generator to request parser instead of confirmation controller

Author: jricher

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java

@@ -26,7 +26,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-import java.util.UUID;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.SystemScope;
@@ -194,9 +193,7 @@ public String confimAccess(Map<String, Object> model, @ModelAttribute("authoriza
 }
 
 // inject a random value for CSRF purposes
-String csrf = UUID.randomUUID().toString();
-model.put("csrf", csrf);
-authRequest.getExtensions().put("csrf", csrf);
+model.put("csrf", authRequest.getExtensions().get("csrf"));
 
 return "approve";
 }

openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java

@@ -22,6 +22,7 @@
 import java.util.Collections;
 import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 
 import org.mitre.jwt.encryption.service.JwtEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
@@ -137,6 +138,13 @@ public AuthorizationRequest createAuthorizationRequest(Map<String, String> input
 }
 }
 
+
+// add CSRF protection to the request on first parse
+String csrf = UUID.randomUUID().toString();
+request.getExtensions().put("csrf", csrf);
+
+
+
 return request;
 }