client secret is required for grant type jwt_bearer

[#146031721] https://www.pivotaltracker.com/story/show/146031721
cloudfoundry · May 31, 2017 · c84e49a · c84e49a
1 parent 55e215e
commit c84e49a
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsValidator.java b/server/src/main/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsValidator.java
@@ -124,9 +124,15 @@ public ClientDetails validate(ClientDetails prototype, boolean create, boolean c
             requestedGrantTypes.add("refresh_token");
         }
 
-        if(requestedGrantTypes.contains(GRANT_TYPE_JWT_BEARER) && (client.getScope() == null || client.getScope().isEmpty())) {
-            logger.debug("Invalid client: " + clientId +". Scope cannot be empty for grant_type " + GRANT_TYPE_JWT_BEARER);
-            throw new InvalidClientDetailsException("Scope cannot be empty for grant_type " + GRANT_TYPE_JWT_BEARER);
+        if(requestedGrantTypes.contains(GRANT_TYPE_JWT_BEARER)) {
+            if(client.getScope() == null || client.getScope().isEmpty()) {
+                logger.debug("Invalid client: " + clientId +". Scope cannot be empty for grant_type " + GRANT_TYPE_JWT_BEARER);
+                throw new InvalidClientDetailsException("Scope cannot be empty for grant_type " + GRANT_TYPE_JWT_BEARER);
+            }
+            if(!StringUtils.hasText(client.getClientSecret())) {
+                logger.debug("Invalid client: " + clientId +". Scope cannot be empty for grant_type " + GRANT_TYPE_JWT_BEARER);
+                throw new InvalidClientDetailsException("Client secret is required for grant type " + GRANT_TYPE_JWT_BEARER);
+            }
         }
 
         if (checkAdmin &&

diff --git a/...rc/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsValidatorTests.java b/...rc/test/java/org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsValidatorTests.java
@@ -104,9 +104,18 @@ public void test_validate_jwt_bearer_grant_type() throws Exception {
     }
 
     @Test
-    public void test_validate_jwt_bearer_grant_type_invalid() throws Exception {
+    public void test_validate_jwt_bearer_grant_type_without_secret() throws Exception {
+        client.setAuthorizedGrantTypes(Arrays.asList(GRANT_TYPE_JWT_BEARER));
+        client.setScope(Collections.singleton(client.getClientId()+".write"));
+        client.setClientSecret("");
+        expectedException.expect(InvalidClientDetailsException.class);
+        expectedException.expectMessage("Client secret is required for grant type "+GRANT_TYPE_JWT_BEARER);
+        validator.validate(client, true, true);
+    }
+
+    @Test
+    public void test_validate_jwt_bearer_grant_type_without_scopes() throws Exception {
         client.setAuthorizedGrantTypes(Arrays.asList(GRANT_TYPE_JWT_BEARER));
-        client.setRegisteredRedirectUri(Collections.singleton("http://anything.com"));
         expectedException.expect(InvalidClientDetailsException.class);
         expectedException.expectMessage("Scope cannot be empty for grant_type "+GRANT_TYPE_JWT_BEARER);
         validator.validate(client, true, true);