[jira] [Commented] (CXF-5226) OAuth public clients don't appear to work in RedirectionGrantServices

[Diarmuid Power (JIRA)]

    [ 
https://issues.apache.org/jira/browse/CXF-5226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13751162#comment-13751162
 ] 

Diarmuid Power commented on CXF-5226:
-------------------------------------

Good suggestion, I am already doing that. ;)

Thanks for the quick resolution on this, it is appreciated!
                
> OAuth public clients don't appear to work in RedirectionGrantServices
> ---------------------------------------------------------------------
>
>                 Key: CXF-5226
>                 URL: https://issues.apache.org/jira/browse/CXF-5226
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.6
>            Reporter: Diarmuid Power
>            Assignee: Sergey Beryozkin
>             Fix For: 3.0.0, 2.6.10, 2.7.7
>
>
> I believe there is an issue when using a redirect grant service using a 
> public client.
> My concern is the negation in front of the _canSupportPublicClient_ which 
> passes this value to the _OAuthUtils.isGrantSupportedForClient_ as if it had 
> not been negated.
> {code}
> if (!OAuthUtils.isGrantSupportedForClient(client, 
> !canSupportPublicClient(client), supportedGrantType)) {
>     return createErrorResponse(params, redirectUri, 
> OAuthConstants.UNAUTHORIZED_CLIENT);
> {code}
> org.apache.cxf.rs.security.oauth2.services.startAuthorization()
> This method then checks for a logical condition like, is public client and 
> provider cannot support public clients. Instead, the logic of the condition 
> reads, if public client and provider can support public client, then throw 
> exception.
> {code}
> public static boolean isGrantSupportedForClient(Client client, boolean 
> canSupportPublicClients, String grantType) {
>       if (!client.isConfidential() && !canSupportPublicClients) {
>             return false;
> {code}
> org.apache.cxf.rs.security.oauth2.utils.OAuthUtils.isGrantSupportedForClient()
> So believe this to be a bug and I wanted to submit this for your 
> consideration.
> Another note is that AccessTokenService approaches this differently and 
> doesn't seem to start with a negation:
> {code}
>  if (!OAuthUtils.isGrantSupportedForClient(client, 
> isCanSupportPublicClients(), params.getFirst(OAuthConstants.GRANT_TYPE))) {
>     return createErrorResponse(params, OAuthConstants.UNAUTHORIZED_CLIENT);
> {code}
> org.apache.cxf.rs.security.oauth2.services.AccessTokenService.handleTokenRequest()
> P.S. First time logging an issue so apologies if I filled out any fields 
> incorrectly.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira