cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Wang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-5395) ImplicitGrantService always redirect to broken redirect url
Date Mon, 18 Nov 2013 17:33:21 GMT
Jason Wang created CXF-5395:
-------------------------------

             Summary: ImplicitGrantService always redirect to broken redirect url
                 Key: CXF-5395
                 URL: https://issues.apache.org/jira/browse/CXF-5395
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 2.7.7
         Environment: irrelevant 
            Reporter: Jason Wang
            Priority: Critical


org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a redirectURL based
on the input given to createGrant method, and redirect to such url.

I have discovered 2 issues with the building of the URL.

1. "state" is added as a fragment, not a query parameter, whereas token got added as a query
parameter. According to the spec, only the access token should be appended as the fragment.


See http://tools.ietf.org/html/rfc6749#section-4.2.2
Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
               &state=xyz&token_type=example&expires_in=3600
Actual output:
http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
               &token_type=example&expires_in=3600

2.if there are more than one OauthPermissions in the token, the OAuthUtils.convertPermissionsToScope
method will simply join the them with space. For example if perms are "read" and "write",
the built url will be

http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
               &token_type=example&expires_in=3600&scope=read write

Spaces are not escaped.

With those two bugs, especially the 1st one, there is no way to get oauth2 implicit flow to
work with the current version of CXF.




--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message