Skip to content

validate client secret expired or not #862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

validate client secret expired or not #862

wants to merge 4 commits into from

Conversation

doctormacky
Copy link

validate the client secret is expired or not.
see the details here

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 18, 2022
@doctormacky
Copy link
Author

@jgrandja Please help to review this PR. thanks!

@doctormacky doctormacky mentioned this pull request Aug 19, 2022
Closed
@jgrandja jgrandja self-assigned this Aug 19, 2022
@jgrandja jgrandja added status: duplicate A duplicate of another issue type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 19, 2022
jgrandja
jgrandja requested changes Aug 19, 2022
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @doctormacky. Please see review comments.

Also, please add a test in ClientSecretAuthenticationProviderTests.

.../security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProvider.java Outdated
@@ -93,6 +95,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
throwInvalidClient(OAuth2ParameterNames.CLIENT_ID);
}

Instant expiredAt = registeredClient.getClientSecretExpiresAt();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please move this validation below if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret()))

.../security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProvider.java Outdated
@@ -93,6 +95,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
throwInvalidClient(OAuth2ParameterNames.CLIENT_ID);
}

Instant expiredAt = registeredClient.getClientSecretExpiresAt();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the variable expiredAt and just use registeredClient.getClientSecretExpiresAt()

.../security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProvider.java Outdated
@@ -93,6 +95,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
throwInvalidClient(OAuth2ParameterNames.CLIENT_ID);
}

Instant expiredAt = registeredClient.getClientSecretExpiresAt();
if (expiredAt!=null && Instant.now().isAfter(expiredAt)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add spaces between the comparison expiredAt!=null so it's consistent with other code

@doctormacky
Copy link
Author

@jgrandja Please help to review it again. thanks.

@doctormacky
Copy link
Author

@jgrandja Any progress on this PR ?

jgrandja
jgrandja requested changes Aug 24, 2022
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @doctormacky.

One minor change left and we'll be ready to merge.

Can you also rebase off latest 0.4.x and squash the commits.
Thanks!

...a/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java Outdated
@@ -64,4 +64,20 @@ public static RegisteredClient.Builder registeredPublicClient() {
.scope("scope1")
.clientSettings(ClientSettings.builder().requireProofKey(true).build());
}

public static RegisteredClient.Builder registeredClient4() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove this and reuse TestRegisteredClients.registeredClient(), which returns the Builder and allows you to update clientSecretExpiresAt()

@jgrandja jgrandja added this to the 0.4.0-M2 milestone Aug 30, 2022
@jgrandja
Copy link
Collaborator

Thanks for the updates @doctormacky. This is now merged.

@jgrandja jgrandja closed this Aug 30, 2022
@doctormacky
Copy link
Author

Thanks for the updates @doctormacky. This is now merged.

Thanks @jgrandja It's my pleasure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja jgrandja requested changes

Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
0.4.0-M2
Development

Successfully merging this pull request may close these issues.
4 participants
@doctormacky @jgrandja @spring-projects-issues @liuyunsh