1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

Serialization of TokenRequest with ClientSecretPost Client Authentication Method fails

Issue #104 resolved
Former user created an issue

Problem: As the following test case shows, the serialization of a TokenRequest containing a ClientSecretPost Client Authentication Method into a HTTPRequest does not work as expected:

    @Test
    public void shouldSupportTokenRequestClientSecretPostSerialization() throws Exception {
        AuthorizationCode code = new AuthorizationCode();
        URI endpointUri = new URI("https://token.endpoint.uri/token");
        URI redirectUri = new URI("https://arbitrary.redirect.uri/");
        ClientID clientId = new ClientID("client");
        Secret secret = new Secret("secret");
        ClientSecretPost clientAuthentication = new ClientSecretPost(clientId,secret);
        AuthorizationGrant grant = new AuthorizationCodeGrant(code,redirectUri);
        TokenRequest request = new TokenRequest(endpointUri,clientAuthentication,grant);

        HTTPRequest httpRequest = request.toHTTPRequest();
        TokenRequest reconstructedRequest = TokenRequest.parse(httpRequest);
        // -> throws ParseException: Missing required "client_id" parameter
    }

Problem lies within these lines of TokenRequest.toHTTPRequest():

        if (getClientAuthentication() != null)
            getClientAuthentication().applyTo(httpRequest);

        Map<String,String> params = authzGrant.toParameters();

        if (scope != null && ! scope.isEmpty()) {
            params.put("scope", scope.toString());
        }

        if (clientID != null) {
            params.put("client_id", clientID.getValue());
        }

        httpRequest.setQuery(URLUtils.serializeParameters(params));

The client_id and client_secret parameters are placed (by getClientAuthentication().applyTo(httpRequest))) in the query member of HTTPRequest. This query member is later on overwritten by httpRequest.setQuery(URLUtils.serializedParameters(params)).

Possible fix: params should include the already set parameters or applyTo(httpRequest) must be called after setQuery(URLUtils.serializeParameters(params)) to make sure query parameters are not overwritten by setQuery().

Tested Version: 4.4.1

Comments (6)

  5. Connect2id OSS

    The fix was released as version 4.4.2 and pushed to Maven Central.

    Thank you for contributing!

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!