[jira] [Commented] (CXF-5394) ImplicitGrantService always redirect to broken redirect url

Mon, 18 Nov 2013 14:38:36 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-5394?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13825868#comment-13825868
 ] 

Jason Wang commented on CXF-5394:
---------------------------------

Sergey, thanks for the super fast response. 

I think the spec says the access_token must be a segment, not query. As when 
you call that url, segment will not be passed back to the server. We do not 
need token to be passed back thats why. So it was a genuine bug which just got 
fixed now. 

Another thing is that the scope value, according to the spec, is a space 
separated string, I can see you used "+" instead. 

Minor question, why not use UriBuilder instead of handcrafting the url?

Many thanks,

> ImplicitGrantService always redirect to broken redirect url
> -----------------------------------------------------------
>
>                 Key: CXF-5394
>                 URL: https://issues.apache.org/jira/browse/CXF-5394
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.7
>         Environment: irrelevant 
>            Reporter: Jason Wang
>            Assignee: Sergey Beryozkin
>            Priority: Critical
>             Fix For: 3.0.0, 2.7.8, 2.6.11
>
>
> org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService will build a 
> redirectURL based on the input given to createGrant method, and redirect to 
> such url.
> I have discovered 2 issues with the building of the URL.
> 1. "state" is added as a fragment, not a query parameter, whereas token got 
> added as a query parameter. According to the spec, only the access token 
> should be appended as the fragment. 
> See http://tools.ietf.org/html/rfc6749#section-4.2.2
> Example valid URL: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA
>                &state=xyz&token_type=example&expires_in=3600
> Actual output:
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
>                &token_type=example&expires_in=3600
> 2.if there are more than one OauthPermissions in the token, the 
> OAuthUtils.convertPermissionsToScope method will simply join the them with 
> space. For example if perms are "read" and "write", the built url will be
> http://example.com/cb#state=xyz&access_token=2YotnFZFEjr1zCsicMWpAA
>                &token_type=example&expires_in=3600&scope=read write
> Spaces are not escaped.
> With those two bugs, especially the 1st one, there is no way to get oauth2 
> implicit flow to work with the current version of CXF.



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to