Improve reuse JWT validation logic.

wso2-extensions · Jun 26, 2024 · fadc560 · fadc560
1 parent def8928
commit fadc560
Showing 1 changed file with 27 additions and 7 deletions.
diff --git a/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java b/...on.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java
@@ -429,8 +429,8 @@ OAuthConsumerAppDTO registerAndRetrieveOAuthApplicationData(OAuthConsumerAppDTO
                             app.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
                         }
                         Boolean tokenEndpointReusePvtKeyJWT = application.isTokenEndpointAllowReusePvtKeyJwt();
-                        if (tokenEndpointAuthMethod != null && !tokenEndpointAuthMethod.equals(PRIVATE_KEY_JWT)
-                                && tokenEndpointReusePvtKeyJWT != null) {
+                        if (isInvalidTokenEPReusePvtKeyJWTRequest(tokenEndpointAuthMethod,
+                                tokenEndpointReusePvtKeyJWT)) {
                             throw handleClientError(INVALID_REQUEST,
                                     "Invalid token endpoint authentication method requested.");
                         }
@@ -858,11 +858,10 @@ void updateConsumerApplication(OAuthConsumerAppDTO consumerAppDTO, boolean enabl
             }
             oAuthAppDO.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
 
-            // Todo: Do we really need to throw an error. Though the auth mechanism is not pvt ket jwt there's no harm
-            //  in storing this either.
-            boolean tokenEndpointReusePvtKeyJWT = consumerAppDTO.isTokenEndpointAllowReusePvtKeyJwt();
-            if (!tokenEndpointAuthMethod.equals(PRIVATE_KEY_JWT) && tokenEndpointReusePvtKeyJWT) {
-                throw handleClientError(INVALID_REQUEST, "Invalid token endpoint authentication method requested.");
+            Boolean tokenEndpointReusePvtKeyJWT = consumerAppDTO.isTokenEndpointAllowReusePvtKeyJwt();
+            if (isInvalidTokenEPReusePvtKeyJWTRequest(tokenEndpointAuthMethod, tokenEndpointReusePvtKeyJWT)) {
+                throw handleClientError(INVALID_REQUEST,
+                        "Invalid token endpoint authentication method requested.");
             }
             oAuthAppDO.setTokenEndpointAllowReusePvtKeyJwt(tokenEndpointReusePvtKeyJWT);
 
@@ -2503,6 +2502,27 @@ private void handleInternalTokenRevocation(String consumerKey, Properties proper
         }
     }
 
+    /**
+     * Return whether the request of updating the tokenEndpointReusePvtKeyJWT is valid.
+     *
+     * @param tokenEndpointAuthMethod     token endpoint client authentication method.
+     * @param tokenEndpointReusePvtKeyJWT During client authentication whether to reuse private key JWT.
+     * @return True if tokenEndpointAuthMethod and tokenEndpointReusePvtKeyJWT is NOT in the correct format.
+     */
+    private boolean isInvalidTokenEPReusePvtKeyJWTRequest(String tokenEndpointAuthMethod,
+                                                          Boolean tokenEndpointReusePvtKeyJWT) {
+
+        if (StringUtils.isNotBlank(tokenEndpointAuthMethod)){
+            if (tokenEndpointAuthMethod.equals(PRIVATE_KEY_JWT)){
+                return tokenEndpointReusePvtKeyJWT == null;
+            } else {
+                return tokenEndpointReusePvtKeyJWT != null;
+            }
+        } else {
+            return tokenEndpointReusePvtKeyJWT != null;
+        }
+    }
+
     /**
      * FAPI validation to restrict the token endpoint authentication methods.
      * Link - https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server (5.2.2 - 14)