From f3ab227a07d75fdf45d9e9a3cc4a9fc71d6273ba Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Tue, 28 Sep 2021 18:02:35 +0300 Subject: [PATCH] fix(4.3): removed client_credentials token validation https://github.com/GluuFederation/oxAuth/issues/1567 --- .../ws/rs/RegisterRestWebServiceImpl.java | 42 ------------------- 1 file changed, 42 deletions(-) diff --git a/Server/src/main/java/org/gluu/oxauth/register/ws/rs/RegisterRestWebServiceImpl.java b/Server/src/main/java/org/gluu/oxauth/register/ws/rs/RegisterRestWebServiceImpl.java index cb714e91e2..5df6de327b 100644 --- a/Server/src/main/java/org/gluu/oxauth/register/ws/rs/RegisterRestWebServiceImpl.java +++ b/Server/src/main/java/org/gluu/oxauth/register/ws/rs/RegisterRestWebServiceImpl.java @@ -698,8 +698,6 @@ public Response requestClientUpdate(String requestParams, String clientId, @Head final String accessToken = tokenService.getToken(authorization); if (StringUtils.isNotBlank(accessToken) && StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(requestParams)) { - validateAuthorizationAccessToken(accessToken, clientId); - JSONObject requestObject = new JSONObject(requestParams); final JSONObject softwareStatement = validateSoftwareStatement(httpRequest, requestObject); if (softwareStatement != null) { @@ -793,46 +791,6 @@ public Response requestClientUpdate(String requestParams, String clientId, @Head return internalErrorResponse("Unknown.").build(); } - private void validateAuthorizationAccessToken(String accessToken, String clientId) { - if (StringUtils.isBlank(accessToken) || StringUtils.isBlank(clientId)) { - log.trace("Access Token or clientId is blank."); - throw new WebApplicationException(Response. - status(Response.Status.BAD_REQUEST). - type(MediaType.APPLICATION_JSON_TYPE). - entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token is not valid for the Client ID.")) - .build()); - } - - final AuthorizationGrant grant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken); - if (grant == null) { - log.trace("Unable to find grant by access token: {}", accessToken); - throw new WebApplicationException(Response. - status(Response.Status.BAD_REQUEST). - type(MediaType.APPLICATION_JSON_TYPE). - entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token grant is not found.")) - .build()); - } - - final AbstractToken accessTokenObj = grant.getAccessToken(accessToken); - if (accessTokenObj == null || !accessTokenObj.isValid()) { - log.trace("Unable to find access token object or otherwise it's expired."); - throw new WebApplicationException(Response. - status(Response.Status.BAD_REQUEST). - type(MediaType.APPLICATION_JSON_TYPE). - entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired.")) - .build()); - } - - if (!clientId.equals(grant.getClientId())) { - log.trace("ClientId from request does not match to access token's client id."); - throw new WebApplicationException(Response. - status(Response.Status.BAD_REQUEST). - type(MediaType.APPLICATION_JSON_TYPE). - entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired.")) - .build()); - } - } - @Override public Response requestClientRead(String clientId, String authorization, HttpServletRequest httpRequest, SecurityContext securityContext) {