Skip to content

Commit

Permalink
feat(jans-auth-server): forbid plain pkce if fapi=true (fapi1-advance…
Browse files Browse the repository at this point in the history
…d-final-par-plain-pkce-rejected fail) #946

#946
  • Loading branch information
yuriyz committed Mar 2, 2022
1 parent 0e42c1c commit 21cecb0
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@
import javax.ws.rs.core.SecurityContext;
import java.net.URI;
import java.util.List;
import java.util.Objects;
import java.util.Optional;

/**
Expand Down Expand Up @@ -123,7 +122,7 @@ public Response requestPushedAuthorizationRequest(
+ "customRespHeaders = {}, claims = {}, tokenBindingHeader = {}",
acrValuesStr, amrValuesStr, originHeaders, codeChallenge, codeChallengeMethod, customResponseHeaders, claims, tokenBindingHeader);

parValidator.validatePkce(codeChallenge, state);
parValidator.validatePkce(codeChallenge, codeChallengeMethod, state);

List<ResponseType> responseTypes = ResponseType.fromString(responseType, " ");
ResponseMode responseModeObj = ResponseMode.getByValue(responseMode);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import com.google.common.collect.Lists;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.authorize.CodeVerifier;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.error.ErrorResponseFactory;
Expand Down Expand Up @@ -169,11 +170,20 @@ private void setStateIntoPar(@NotNull RedirectUriResponse redirectUriResponse, @
}
}

public void validatePkce(String codeChallenge, String state) {
public void validatePkce(String codeChallenge, String codeChallengeMethod, String state) {
if (!appConfiguration.isFapi()) {
return;
}
if (StringUtils.isBlank(codeChallengeMethod) ||
CodeVerifier.CodeChallengeMethod.fromString(codeChallengeMethod) == CodeVerifier.CodeChallengeMethod.PLAIN) {
log.error("code_challenge_method is invalid: {} (plain or blank method is not allowed)", codeChallengeMethod);
throw new WebApplicationException(Response
.status(Response.Status.BAD_REQUEST)
.entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, ""))
.build());
}
if (StringUtils.isBlank(codeChallenge)) {
log.error("code_challenge is blank");
throw new WebApplicationException(Response
.status(Response.Status.BAD_REQUEST)
.entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, ""))
Expand Down

0 comments on commit 21cecb0

Please sign in to comment.