Skip to content

Commit 84ff2f5

Browse files
jricherjricher
committed
disallow client secret authentication in HEART mode
1 parent fd452bf commit 84ff2f5

File tree

2 files changed

+16
-6
lines changed

2 files changed

+16
-6
lines changed

openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
import org.mitre.oauth2.model.ClientDetailsEntity;
2525
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
2626
import org.mitre.oauth2.service.ClientDetailsEntityService;
27+
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
2728
import org.springframework.beans.factory.annotation.Autowired;
2829
import org.springframework.security.core.GrantedAuthority;
2930
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -50,6 +51,9 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
5051
@Autowired
5152
private ClientDetailsEntityService clientDetailsService;
5253

54+
@Autowired
55+
private ConfigurationPropertiesBean config;
56+
5357
@Override
5458
public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException {
5559

@@ -60,9 +64,10 @@ public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundE
6064

6165
String password = Strings.nullToEmpty(client.getClientSecret());
6266

63-
if (client.getTokenEndpointAuthMethod() != null &&
64-
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
65-
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
67+
if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
68+
(client.getTokenEndpointAuthMethod() != null &&
69+
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
70+
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
6671

6772
// Issue a random password each time to prevent password auth from being used (or skipped)
6873
// for private key or shared key clients, see #715

openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@
2525
import org.mitre.oauth2.model.ClientDetailsEntity;
2626
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
2727
import org.mitre.oauth2.service.ClientDetailsEntityService;
28+
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
2829
import org.springframework.beans.factory.annotation.Autowired;
2930
import org.springframework.security.core.GrantedAuthority;
3031
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -54,6 +55,9 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
5455
@Autowired
5556
private ClientDetailsEntityService clientDetailsService;
5657

58+
@Autowired
59+
private ConfigurationPropertiesBean config;
60+
5761
@Override
5862
public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException {
5963

@@ -66,9 +70,10 @@ public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundE
6670

6771
String encodedPassword = UriUtils.encodeQueryParam(Strings.nullToEmpty(client.getClientSecret()), "UTF-8");
6872

69-
if (client.getTokenEndpointAuthMethod() != null &&
70-
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
71-
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
73+
if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets
74+
(client.getTokenEndpointAuthMethod() != null &&
75+
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
76+
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) {
7277

7378
// Issue a random password each time to prevent password auth from being used (or skipped)
7479
// for private key or shared key clients, see #715

0 commit comments

Comments
 (0)