Skip to content

Commit

Permalink
Merge pull request #1009 from JanssenProject/jans-auth-server-issue-999
Browse files Browse the repository at this point in the history 
fix(jans-auth-server): validate pkce after extraction data from request object (#999)
  • Loading branch information
@yuriyz
yuriyz authored Mar 10, 2022
2 parents 3f58aff + 29fdfae commit b73a5fe
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions jans-auth-server/server/src/main/java/io/jans/as/server/par/ws/rs/ParRestWebService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,8 +122,6 @@ public Response requestPushedAuthorizationRequest(
+ "customRespHeaders = {}, claims = {}, tokenBindingHeader = {}",
acrValuesStr, amrValuesStr, originHeaders, codeChallenge, codeChallengeMethod, customResponseHeaders, claims, tokenBindingHeader);

parValidator.validatePkce(codeChallenge, codeChallengeMethod, state);

List<ResponseType> responseTypes = ResponseType.fromString(responseType, " ");
ResponseMode responseModeObj = ResponseMode.getByValue(responseMode);

Expand Down Expand Up @@ -173,6 +171,8 @@ public Response requestPushedAuthorizationRequest(
par.getAttributes().setCustomParameters(requestParameterService.getCustomParameters(QueryStringDecoder.decode(httpRequest.getQueryString())));

parValidator.validateRequestObject(redirectUriResponse, par, client);

parValidator.validatePkce(par.getAttributes().getCodeChallenge(), par.getAttributes().getCodeChallengeMethod(), state);
authorizeRestWebServiceValidator.validatePkce(par.getAttributes().getCodeChallenge(), redirectUriResponse);

parService.persist(par);
Expand Down

0 comments on commit b73a5fe

Please sign in to comment.