Bump version to 1.11

This commit merges branch 'hotfix/lenient_hybrid_flow'
cloudfoundry · Dec 5, 2014 · 9156eed · 9156eed
2 parents 1d23b32 + 8f9546a
commit 9156eed
Show file tree

Hide file tree

Showing 5 changed files with 213 additions and 26 deletions.
diff --git a/...n/src/main/java/org/cloudfoundry/identity/uaa/authorization/UaaAuthorizationEndpoint.java b/...n/src/main/java/org/cloudfoundry/identity/uaa/authorization/UaaAuthorizationEndpoint.java
@@ -99,6 +99,12 @@ public class UaaAuthorizationEndpoint extends AbstractEndpoint {
 
     private Object implicitLock = new Object();
 
+    private Boolean fallbackToAuthcode = false;
+
+    public void setFallbackToAuthcode(Boolean fallbackToAuthcode) {
+        this.fallbackToAuthcode = fallbackToAuthcode;
+    }
+
     public void setSessionAttributeStore(SessionAttributeStore sessionAttributeStore) {
         this.sessionAttributeStore = sessionAttributeStore;
     }
@@ -160,7 +166,10 @@ public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<Strin
             // Validation is all done, so we can check for auto approval...
             if (authorizationRequest.isApproved()) {
                 if (responseTypes.contains("token") || responseTypes.contains("id_token")) {
-                    return getImplicitGrantResponse(authorizationRequest, (Authentication) principal);
+                    ModelAndView modelAndView = getImplicitGrantResponse(authorizationRequest, (Authentication) principal);
+                    if (modelAndView != null) {
+                        return modelAndView;
+                    }
                 }
                 if (responseTypes.contains("code")) {
                     return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,
@@ -220,7 +229,10 @@ public View approveOrDeny(@RequestParam Map<String, String> approvalParameters,
             }
 
             if (responseTypes.contains("token") || responseTypes.contains("id_token")) {
-                return getImplicitGrantResponse(authorizationRequest, (Authentication) principal).getView();
+                ModelAndView modelAndView = getImplicitGrantResponse(authorizationRequest, (Authentication) principal);
+                if (modelAndView != null) {
+                    return modelAndView.getView();
+                }
             }
 
             return getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal);
@@ -240,19 +252,23 @@ private ModelAndView getUserApprovalPageResponse(Map<String, Object> model,
 
     // We can grant a token and return it with implicit approval.
     private ModelAndView getImplicitGrantResponse(AuthorizationRequest authorizationRequest, Authentication authentication) {
+        OAuth2AccessToken accessToken;
         try {
             TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(authorizationRequest, "implicit");
             OAuth2Request storedOAuth2Request = getOAuth2RequestFactory().createOAuth2Request(authorizationRequest);
-            OAuth2AccessToken accessToken = getAccessTokenForImplicitGrant(tokenRequest, storedOAuth2Request);
+            accessToken = getAccessTokenForImplicitGrant(tokenRequest, storedOAuth2Request);
             if (accessToken == null) {
                 throw new UnsupportedResponseTypeException("Unsupported response type: token");
             }
             return new ModelAndView(new RedirectView(appendAccessToken(authorizationRequest, accessToken, authentication), false, true,
                 false));
         } catch (OAuth2Exception e) {
-            return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false,
-                true, false));
+            if (authorizationRequest.getResponseTypes().contains("token") || fallbackToAuthcode == false) {
+                return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false,
+                        true, false));
+           }
         }
+       return null;
     }
 
     private OAuth2AccessToken getAccessTokenForImplicitGrant(TokenRequest tokenRequest,

diff --git a/gradle.properties b/gradle.properties
@@ -1 +1 @@
-version=1.10
+version=1.11
diff --git a/uaa/src/main/resources/uaa.yml b/uaa/src/main/resources/uaa.yml
@@ -101,10 +101,14 @@ oauth:
       - uaa.user
       - approvals.me
       - oauth.approvals
+# When using the hybrid flow to get a id_token, suppress the exception if the client doesn't have the implicit grant. Defaults to false.
+  #openid:
+    #fallbackToAuthcode: false
 
 # Allow unverified users to log in. Defaults to true
 #allowUnverifiedUsers: false
 
+
 # Default token signing key. Each installation MUST provide a unique key
 # in order for tokens to be usable only on that installation.
 #jwt:

diff --git a/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/oauth-endpoints.xml
@@ -46,6 +46,7 @@
         <property name="tokenGranter" ref="oauth2TokenGranter"/> <!--this bean create by oauth:authorization-server -->
         <property name="clientDetailsService" ref="jdbcClientDetailsService"/>
         <property name="OAuth2RequestFactory" ref="authorizationRequestManager"/>
+        <property name="fallbackToAuthcode" value="${oauth.openid.fallbackToAuthcode:false}"/>
     </bean>
 
     <!--/oauth/token with any match -->