Throw an exception if the client specifies another value with "none" …

…for "prompt"
apache · May 23, 2016 · e2f9b7d · e2f9b7d
1 parent 5e11c6d
commit e2f9b7d
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/.../oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/.../oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -19,19 +19,26 @@
 package org.apache.cxf.rs.security.oidc.idp;
 
 import java.util.List;
+import java.util.logging.Level;
 
 import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
+    private static final String PROMPT_PARAMETER = "prompt";
+
     private boolean skipAuthorizationWithOidcScope;
     @Override
     protected boolean canAuthorizationBeSkipped(Client client,
@@ -47,6 +54,28 @@ protected boolean canAuthorizationBeSkipped(Client client,
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) {
         this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
     }
+
+    @Override
+    protected Response startAuthorization(MultivaluedMap<String, String> params, 
+                                          UserSubject userSubject,
+                                          Client client) {    
+        // Validate the prompt - if it contains "none" then an error is returned with any other value
+        String prompt = params.getFirst(PROMPT_PARAMETER);
+        if (prompt != null) {
+            String[] promptValues = prompt.trim().split(" ");
+            if (promptValues.length > 1) {
+                for (String promptValue : promptValues) {
+                    if ("none".equals(promptValue)) {
+                        LOG.log(Level.FINE, "The prompt value {} is invalid", prompt);
+                        throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+                    }
+                }
+            }
+        }
+
+        return super.startAuthorization(params, userSubject, client);
+    }
+
     protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, 
                                                                    Client client, 
                                                                    List<String> requestedScope, 

diff --git a/...urity/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/...urity/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -23,6 +23,7 @@
 import java.util.List;
 import java.util.Properties;
 import java.util.Set;
+import java.util.logging.Level;
 
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
@@ -48,6 +49,8 @@
 
 
 public class OidcImplicitService extends ImplicitGrantService {
+    private static final String PROMPT_PARAMETER = "prompt";
+
     private boolean skipAuthorizationWithOidcScope;
     private OAuthJoseJwtProducer idTokenHandler;
     private IdTokenProvider idTokenProvider;
@@ -74,6 +77,21 @@ protected Response startAuthorization(MultivaluedMap<String, String> params,
             LOG.fine("A nonce is required for the Implicit flow");
             throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
         }
+
+        // Validate the prompt - if it contains "none" then an error is returned with any other value
+        String prompt = params.getFirst(PROMPT_PARAMETER);
+        if (prompt != null) {
+            String[] promptValues = prompt.trim().split(" ");
+            if (promptValues.length > 1) {
+                for (String promptValue : promptValues) {
+                    if ("none".equals(promptValue)) {
+                        LOG.log(Level.FINE, "The prompt value {} is invalid", prompt);
+                        throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+                    }
+                }
+            }
+        }
+
         return super.startAuthorization(params, userSubject, client);
     }
 

diff --git a/...s-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java b/...s-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java
@@ -60,9 +60,7 @@ public static void startServers() throws Exception {
         );
     }
 
-    // TODO
     @org.junit.Test
-    @org.junit.Ignore
     public void testImplicitFlowPromptNone() throws Exception {
         URL busFile = OIDCFlowTest.class.getResource("client.xml");