FAPI 2.0 security profile - Reject Implicit Grant executor does not return an appropriate error

Closes #20622
This commit is contained in:
Takashi Norimatsu 2023-05-29 12:02:19 +09:00 committed by Marek Posolda
parent 0832992e59
commit 6b42c2b4d0
2 changed files with 5 additions and 5 deletions

View file

@ -108,7 +108,7 @@ public class RejectImplicitGrantExecutor implements ClientPolicyExecutorProvider
// Before client policies operation, Authorization Endpoint logic has already checked whether implicit/hybrid flow is activated for a client. // Before client policies operation, Authorization Endpoint logic has already checked whether implicit/hybrid flow is activated for a client.
// This method rejects implicit grant regardless of client setting for allowing implicit grant. // This method rejects implicit grant regardless of client setting for allowing implicit grant.
if (parsedResponseType.isImplicitOrHybridFlow()) { if (parsedResponseType.isImplicitOrHybridFlow()) {
throw new ClientPolicyException(OAuthErrorException.INVALID_GRANT, "Implicit/Hybrid flow is prohibited."); throw new ClientPolicyException(OAuthErrorException.INVALID_REQUEST, "Implicit/Hybrid flow is prohibited.");
} }
} }

View file

@ -1196,16 +1196,16 @@ public class ClientPoliciesTest extends AbstractClientPoliciesTest {
oauth.clientId(clientId); oauth.clientId(clientId);
// implicit grant // implicit grant
testProhibitedImplicitOrHybridFlow(false, OIDCResponseType.TOKEN, null, OAuthErrorException.INVALID_GRANT, expectedErrorDescription); testProhibitedImplicitOrHybridFlow(false, OIDCResponseType.TOKEN, null, OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
// hybrid grant // hybrid grant
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_GRANT, expectedErrorDescription); testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
// hybrid grant // hybrid grant
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE, "exsefweag", OAuthErrorException.INVALID_GRANT, expectedErrorDescription); testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE, "exsefweag", OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
// hybrid grant // hybrid grant
testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_GRANT, expectedErrorDescription); testProhibitedImplicitOrHybridFlow(true, OIDCResponseType.TOKEN + " " + OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN, "exsefweag", OAuthErrorException.INVALID_REQUEST, expectedErrorDescription);
} finally { } finally {
// revert test client instance settings the same as OAuthClient.init // revert test client instance settings the same as OAuthClient.init