[jira] [Commented] (CXF-5394) ImplicitGrantService always redirect to broken redirect url

Mon, 18 Nov 2013 13:56:52 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-5394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13825817#comment-13825817
 ] 

Sergey Beryozkin commented on CXF-5394:
---------------------------------------

That said I reordered parameters a bit so that the access_token comes 
immediately after '#' as some clients may expect it be the case

> ImplicitGrantService always redirect to broken redirect url
> -----------------------------------------------------------
>
>                 Key: CXF-5394
>                 URL: https://issues.apache.org/jira/browse/CXF-5394
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.7
>         Environment: irrelevant 
>            Reporter: Jason Wang
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.0.0, 2.7.8, 2.6.11
>
>
> org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a 
> redirectURL based on the input given to createGrant method, and redirect to 
> such url.
> I have discovered 2 issues with the building of the URL.
> 1. "state" is added as a fragment, not a query parameter, whereas token got 
> added as a query parameter. According to the spec, only the access token 
> should be appended as the fragment. 
> See http://tools.ietf.org/html/rfc6749#section-4.2.2
> Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
>                &state=xyz&token_type=example&expires_in=3600
> Actual output:
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
>                &token_type=example&expires_in=3600
> 2.if there are more than one OauthPermissions in the token, the 
> OAuthUtils.convertPermissionsToScope method will simply join the them with 
> space. For example if perms are "read" and "write", the built url will be
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
>                &token_type=example&expires_in=3600&scope=read write
> Spaces are not escaped.
> With those two bugs, especially the 1st one, there is no way to get oauth2 
> implicit flow to work with the current version of CXF.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to