Jason Wang created CXF-5395:
-------------------------------
Summary: ImplicitGrantService always redirect to broken redirect
url
Key: CXF-5395
URL: https://issues.apache.org/jira/browse/CXF-5395
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 2.7.7
Environment: irrelevant
Reporter: Jason Wang
Priority: Critical
org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a
redirectURL based on the input given to createGrant method, and redirect to
such url.
I have discovered 2 issues with the building of the URL.
1. "state" is added as a fragment, not a query parameter, whereas token got
added as a query parameter. According to the spec, only the access token should
be appended as the fragment.
See http://tools.ietf.org/html/rfc6749#section-4.2.2
Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
&state=xyz&token_type=example&expires_in=3600
Actual output:
http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=example&expires_in=3600
2.if there are more than one OauthPermissions in the token, the
OAuthUtils.convertPermissionsToScope method will simply join the them with
space. For example if perms are "read" and "write", the built url will be
http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
&token_type=example&expires_in=3600&scope=read write
Spaces are not escaped.
With those two bugs, especially the 1st one, there is no way to get oauth2
implicit flow to work with the current version of CXF.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
