Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5395

ImplicitGrantService always redirect to broken redirect url

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.7.7
    • 3.0.0-milestone1, 2.7.8
    • JAX-RS Security
    • None
    • irrelevant

    • Novice

    Description

      org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a redirectURL based on the input given to createGrant method, and redirect to such url.

      I have discovered 2 issues with the building of the URL.

      1. "state" is added as a fragment, not a query parameter, whereas token got added as a query parameter. According to the spec, only the access token should be appended as the fragment.

      See http://tools.ietf.org/html/rfc6749#section-4.2.2
      Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
      &state=xyz&token_type=example&expires_in=3600
      Actual output:
      http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
      &token_type=example&expires_in=3600

      2.if there are more than one OauthPermissions in the token, the OAuthUtils.convertPermissionsToScope method will simply join the them with space. For example if perms are "read" and "write", the built url will be

      http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
      &token_type=example&expires_in=3600&scope=read write

      Spaces are not escaped.

      With those two bugs, especially the 1st one, there is no way to get oauth2 implicit flow to work with the current version of CXF.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sergey_beryozkin Sergey Beryozkin
            jasonw_nz Jason Wang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment