[CXF-8368] org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.1
Fix Version/s: 3.4.2
Component/s: None
Labels:
None

Estimated Complexity:
Unknown

Description

org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData sets code challenge after parent createAuthorizationData which calls org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService#createAuthorizationData which calls org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider#createSessionToken (when used) so the state will be created before the challenge is set which breaks the flow.

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Romain Manni-Bucau

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 10/Nov/20 19:05

Updated:: 04/Jan/21 09:46

Resolved:: 13/Nov/20 10:27