cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Commented] (CXF-5394) ImplicitGrantService always redirect to broken redirect url
Date Mon, 18 Nov 2013 21:43:21 GMT


Sergey Beryozkin commented on CXF-5394:

Section 4.2.2 clearly states that the parameters listed in that section can be added to the
fragment component, I'm not sure where do you see that only the access token can be added
to the fragment. The example in that section simply shows the access_token being listed the
The encoding issue is a genuine bug though, I've got it fixed, the easy workaround is to offer
a composite value like "read_write"

> ImplicitGrantService always redirect to broken redirect url
> -----------------------------------------------------------
>                 Key: CXF-5394
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.7
>         Environment: irrelevant 
>            Reporter: Jason Wang
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.0.0, 2.7.8, 2.6.11
> will build a redirectURL
based on the input given to createGrant method, and redirect to such url.
> I have discovered 2 issues with the building of the URL.
> 1. "state" is added as a fragment, not a query parameter, whereas token got added as
a query parameter. According to the spec, only the access token should be appended as the
> See
> Example valid URL:
>                &state=xyz&token_type=example&expires_in=3600
> Actual output:
>                &token_type=example&expires_in=3600
> 2.if there are more than one OauthPermissions in the token, the OAuthUtils.convertPermissionsToScope
method will simply join the them with space. For example if perms are "read" and "write",
the built url will be
>                &token_type=example&expires_in=3600&scope=read write
> Spaces are not escaped.
> With those two bugs, especially the 1st one, there is no way to get oauth2 implicit flow
to work with the current version of CXF.

This message was sent by Atlassian JIRA

View raw message