KECLOAK-16009 Add a method to check if the token request has duplicate parameters

2020-10-25 01:12:59 +09:00 · 2020-10-25 01:12:59 +09:00 · cffe24f815
commit cffe24f815
parent 54c5b1514f
2 changed files with 40 additions and 0 deletions
--- a/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
@ -212,6 +212,7 @@ public class TokenEndpoint {
        if (!action.equals(Action.PERMISSION)) {
            checkClient();
            checkParameterDuplicated();
        }
        switch (action) {
@ -306,6 +307,15 @@ public class TokenEndpoint {
        event.detail(Details.GRANT_TYPE, grantType);
    }
    private void checkParameterDuplicated() {
        for (String key : formParams.keySet()) {
            if (formParams.get(key).size() != 1) {
                throw new CorsErrorResponseException(cors, OAuthErrorException.INVALID_REQUEST, "duplicated parameter",
                    Response.Status.BAD_REQUEST);
            }
        }
    }
    public Response codeToToken() {
        String code = formParams.getFirst(OAuth2Constants.CODE);
        if (code == null) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java
@ -1338,4 +1338,34 @@ public class AccessTokenTest extends AbstractKeycloakTest {
        assertEquals(sessionId, token.getSessionState());
    }
    // KEYCLOAK-16009
    @Test
    public void tokenRequestParamsMoreThanOnce() throws Exception {
        oauth.doLogin("test-user@localhost", "password");
        String code = oauth.getCurrentQuery().get(OAuth2Constants.CODE);
        try (CloseableHttpClient client = HttpClientBuilder.create().build()) {
            HttpPost post = new HttpPost(oauth.getAccessTokenUrl());
            List<NameValuePair> parameters = new LinkedList<>();
            parameters.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, OAuth2Constants.AUTHORIZATION_CODE));
            parameters.add(new BasicNameValuePair(OAuth2Constants.CODE, code));
            parameters.add(new BasicNameValuePair(OAuth2Constants.REDIRECT_URI, oauth.getRedirectUri()));
            parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ID, oauth.getClientId()));
            parameters.add(new BasicNameValuePair(OAuth2Constants.CLIENT_ID, "foo"));
            String authorization = BasicAuthHelper.createHeader(OAuth2Constants.CLIENT_ID, "password");
            post.setHeader("Authorization", authorization);
            UrlEncodedFormEntity formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
            post.setEntity(formEntity);
            OAuthClient.AccessTokenResponse response = new OAuthClient.AccessTokenResponse(client.execute(post));
            assertEquals(400, response.getStatusCode());
            assertEquals("invalid_request", response.getError());
            assertEquals("duplicated parameter", response.getErrorDescription());
        }
    }
 }