libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-545 Stop NPE if no client_secret is specified or bearer-only application is used for grants/access

Browse source
This commit is contained in:
Stian Thorgersen 2014-07-30 16:41:07 +01:00
parent 50bc53d673
commit fa01d53f9e
2 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
audit/api/src/main/java/org/keycloak/audit/Errors.java
View file

@ -10,6 +10,7 @@ public interface Errors {
String CLIENT_NOT_FOUND = "client_not_found";
String CLIENT_DISABLED = "client_disabled";
String INVALID_CLIENT_CREDENTIALS = "invalid_client_credentials";
String INVALID_CLIENT = "invalid_client";
String USER_NOT_FOUND = "user_not_found";
String USER_DISABLED = "user_disabled";

10
services/src/main/java/org/keycloak/services/resources/TokenService.java
View file

@ -761,8 +761,16 @@ public class TokenService {
throw new BadRequestException("Client is not enabled", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
}
if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) {
Map<String, String> error = new HashMap<String, String>();
error.put(OAuth2Constants.ERROR, "invalid_client");
error.put(OAuth2Constants.ERROR_DESCRIPTION, "Bearer-only not allowed");
audit.error(Errors.INVALID_CLIENT);
throw new BadRequestException("Bearer-only not allowed", Response.status(Response.Status.BAD_REQUEST).entity(error).type("application/json").build());
}
if (!client.isPublicClient()) {
if (!client.validateSecret(clientSecret)) {
if (clientSecret == null || !client.validateSecret(clientSecret)) {
Map<String, String> error = new HashMap<String, String>();
error.put(OAuth2Constants.ERROR, "unauthorized_client");
audit.error(Errors.INVALID_CLIENT_CREDENTIALS);