feat(jans-auth-server): forbid plain pkce if fapi=true (fapi1-advance…

…d-final-par-plain-pkce-rejected fail) #946 #946
JanssenProject · Mar 2, 2022 · 21cecb0 · 21cecb0
1 parent 0e42c1c
commit 21cecb0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParRestWebService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParRestWebService.java
@@ -42,7 +42,6 @@
 import javax.ws.rs.core.SecurityContext;
 import java.net.URI;
 import java.util.List;
-import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -123,7 +122,7 @@ public Response requestPushedAuthorizationRequest(
                             + "customRespHeaders = {}, claims = {}, tokenBindingHeader = {}",
                     acrValuesStr, amrValuesStr, originHeaders, codeChallenge, codeChallengeMethod, customResponseHeaders, claims, tokenBindingHeader);
 
-            parValidator.validatePkce(codeChallenge, state);
+            parValidator.validatePkce(codeChallenge, codeChallengeMethod, state);
 
             List<ResponseType> responseTypes = ResponseType.fromString(responseType, " ");
             ResponseMode responseModeObj = ResponseMode.getByValue(responseMode);

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParValidator.java b/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParValidator.java
@@ -3,6 +3,7 @@
 import com.google.common.collect.Lists;
 import io.jans.as.common.model.registration.Client;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
+import io.jans.as.model.authorize.CodeVerifier;
 import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.model.crypto.AbstractCryptoProvider;
 import io.jans.as.model.error.ErrorResponseFactory;
@@ -169,11 +170,20 @@ private void setStateIntoPar(@NotNull RedirectUriResponse redirectUriResponse, @
         }
     }
 
-    public void validatePkce(String codeChallenge, String state) {
+    public void validatePkce(String codeChallenge, String codeChallengeMethod, String state) {
         if (!appConfiguration.isFapi()) {
             return;
         }
+        if (StringUtils.isBlank(codeChallengeMethod) ||
+                CodeVerifier.CodeChallengeMethod.fromString(codeChallengeMethod) == CodeVerifier.CodeChallengeMethod.PLAIN) {
+            log.error("code_challenge_method is invalid: {} (plain or blank method is not allowed)", codeChallengeMethod);
+            throw new WebApplicationException(Response
+                    .status(Response.Status.BAD_REQUEST)
+                    .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, ""))
+                    .build());
+        }
         if (StringUtils.isBlank(codeChallenge)) {
+            log.error("code_challenge is blank");
             throw new WebApplicationException(Response
                     .status(Response.Status.BAD_REQUEST)
                     .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, ""))