feat(jans-auth-server): reject par without pkce for fapi

#875
JanssenProject · Feb 28, 2022 · 332df41 · 332df41
1 parent 363cf0e
commit 332df41
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 0 deletions.
diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParRestWebService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParRestWebService.java
@@ -123,6 +123,8 @@ public Response requestPushedAuthorizationRequest(
                             + "customRespHeaders = {}, claims = {}, tokenBindingHeader = {}",
                     acrValuesStr, amrValuesStr, originHeaders, codeChallenge, codeChallengeMethod, customResponseHeaders, claims, tokenBindingHeader);
 
+            parValidator.validatePkce(codeChallenge, state);
+
             List<ResponseType> responseTypes = ResponseType.fromString(responseType, " ");
             ResponseMode responseModeObj = ResponseMode.getByValue(responseMode);
 

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParValidator.java b/jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParValidator.java
@@ -26,6 +26,7 @@
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
 import java.util.Date;
 import java.util.Set;
 
@@ -167,4 +168,16 @@ private void setStateIntoPar(@NotNull RedirectUriResponse redirectUriResponse, @
             redirectUriResponse.setState("");
         }
     }
+
+    public void validatePkce(String codeChallenge, String state) {
+        if (!appConfiguration.isFapi()) {
+            return;
+        }
+        if (StringUtils.isBlank(codeChallenge)) {
+            throw new WebApplicationException(Response
+                    .status(Response.Status.BAD_REQUEST)
+                    .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, ""))
+                    .build());
+        }
+    }
 }
diff --git a/jans-auth-server/server/src/test/java/io/jans/as/server/par/ws/rs/ParValidatorTest.java b/jans-auth-server/server/src/test/java/io/jans/as/server/par/ws/rs/ParValidatorTest.java
@@ -0,0 +1,52 @@
+package io.jans.as.server.par.ws.rs;
+
+import io.jans.as.model.configuration.AppConfiguration;
+import io.jans.as.model.error.ErrorResponseFactory;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.testng.MockitoTestNGListener;
+import org.testng.annotations.Listeners;
+import org.testng.annotations.Test;
+
+import javax.ws.rs.WebApplicationException;
+
+import static org.mockito.Mockito.when;
+
+/**
+ * @author Yuriy Zabrovarnyy
+ */
+@Listeners(MockitoTestNGListener.class)
+public class ParValidatorTest {
+
+    @InjectMocks
+    private ParValidator parValidator;
+
+    @Mock
+    private AppConfiguration appConfiguration;
+
+    @Mock
+    private ErrorResponseFactory errorResponseFactory; // mock is required
+
+    @SuppressWarnings("java:S5976") // we do want separate methods with clear names. Clarity of use case.
+    @Test
+    public void validatePkce_whenFapiIsFalse_shouldNotThrowError() {
+        when(appConfiguration.isFapi()).thenReturn(false);
+
+        parValidator.validatePkce(null, null);
+    }
+
+    @Test(expectedExceptions = WebApplicationException.class)
+    public void validatePkce_whenFapiIsTrueAndNoCodeChallenage_shouldThrowError() {
+        when(appConfiguration.isFapi()).thenReturn(true);
+
+        parValidator.validatePkce(null, null);
+    }
+
+    @Test
+    public void validatePkce_whenFapiIsTrueAndCodeChallenageIsSet_shouldNotThrowError() {
+        when(appConfiguration.isFapi()).thenReturn(true);
+
+        parValidator.validatePkce("codechallangehere", null);
+    }
+
+}