cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-5394) ImplicitGrantService always redirect to broken redirect url
Date Tue, 19 Nov 2013 10:33:21 GMT

    [ https://issues.apache.org/jira/browse/CXF-5394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13826375#comment-13826375
] 

Sergey Beryozkin commented on CXF-5394:
---------------------------------------

> I think the spec says the access_token must be a segment, not query. As when you call
that url, segment will not be passed back to the server. We do not need token to be passed
back thats why. So it was a genuine bug which just got fixed now. 

All we see in the spec example is '&' separators but we do not see a query component '?'
marker, the whole '&' separated sequence follows a '#' fragment marker. Calling on such
URI would most likely miss the fragment values, I've seen it elsewhere, the fragment is dropped
along the way somehow but this URI is not designed to be called upon, I believe it's for the
in-browser client to be able to get to the fragment easily.

> Another thing is that the scope value, according to the spec, is a space separated string,
I can see you used "+" instead. 

This is how a space gets encoded per the rules of the application/x-www-form-urlencoded type
(as OAuth2 spec requires), URL-decoding the value will give you a space separated sequence

> why not use UriBuilder instead of handcrafting the url
I did not see a major need for it, may be at some later stage if needed


> ImplicitGrantService always redirect to broken redirect url
> -----------------------------------------------------------
>
>                 Key: CXF-5394
>                 URL: https://issues.apache.org/jira/browse/CXF-5394
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.7
>         Environment: irrelevant 
>            Reporter: Jason Wang
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.0.0, 2.7.8, 2.6.11
>
>
> org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a redirectURL
based on the input given to createGrant method, and redirect to such url.
> I have discovered 2 issues with the building of the URL.
> 1. "state" is added as a fragment, not a query parameter, whereas token got added as
a query parameter. According to the spec, only the access token should be appended as the
fragment. 
> See http://tools.ietf.org/html/rfc6749#section-4.2.2
> Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
>                &state=xyz&token_type=example&expires_in=3600
> Actual output:
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
>                &token_type=example&expires_in=3600
> 2.if there are more than one OauthPermissions in the token, the OAuthUtils.convertPermissionsToScope
method will simply join the them with space. For example if perms are "read" and "write",
the built url will be
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
>                &token_type=example&expires_in=3600&scope=read write
> Spaces are not escaped.
> With those two bugs, especially the 1st one, there is no way to get oauth2 implicit flow
to work with the current version of CXF.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message