Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6559

AbstractOAuthDataProvider.refreshAccessToken method can't handle an invalid refresh token

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.2
    • Fix Version/s: 3.1.3, 3.0.7
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      The refreshAccessToken method calls revokeRefreshAndAccessTokens, which calls revokeRefreshToken, which is an abstract method which declares no exceptions.

      Implementations assume that the method will return null if the refresh token doesn't exist (see the DefaultEHCacheOAuthDataProvider, although the DefaultEncryptingOAuthDataProvider implementation may throw a SecurityException in that case as it can't really / doesn't support revoking).

      However if a null is returned, refreshAccessToken passes that null to doRefreshAccessToken which will then fail with a NullPointerException.

      I suggest that refreshAccessToken check for a null refresh token and throws an OAuthServiceException, possibly with OAuthConstants.ACCESS_DENIED.

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              karlvr Karl von Randow
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: