SECOAUTH-400: ensure implicit response is encoded

eonezhang · Apr 23, 2013 · 85dbf82 · 85dbf82
1 parent f7e2fae
commit 85dbf82
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 9 deletions.
diff --git a/...ain/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java b/...ain/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
@@ -64,6 +64,7 @@
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.view.RedirectView;
+import org.springframework.web.util.UriTemplate;
 
 /**
  * <p>
@@ -295,6 +296,7 @@ private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequ
 	}
 
 	private String appendAccessToken(AuthorizationRequest authorizationRequest, OAuth2AccessToken accessToken) {
+		Map<String, Object> vars = new HashMap<String, Object>();
 		String requestedRedirect = authorizationRequest.getRedirectUri();
 		if (accessToken == null) {
 			throw new InvalidGrantException("An implicit grant could not be made");
@@ -306,30 +308,37 @@ private String appendAccessToken(AuthorizationRequest authorizationRequest, OAut
 		else {
 			url.append("#");
 		}
-		url.append("access_token=" + accessToken.getValue());
-		url.append("&token_type=" + accessToken.getTokenType());
+		url.append("access_token={access_token}");
+		url.append("&token_type={token_type}");
+		vars.put("access_token", accessToken.getValue());
+		vars.put("token_type", accessToken.getTokenType());
 		String state = authorizationRequest.getState();
 		if (state != null) {
-			url.append("&state=" + state);
+			url.append("&state={state}");
+			vars.put("state", state);
 		}
 		Date expiration = accessToken.getExpiration();
 		if (expiration != null) {
 			long expires_in = (expiration.getTime() - System.currentTimeMillis()) / 1000;
-			url.append("&expires_in=" + expires_in);
+			url.append("&expires_in={expires_in}");
+			vars.put("expires_in", expires_in);
 		}
 		String originalScope = authorizationRequest.getAuthorizationParameters().get(ORIGINAL_SCOPE);
 		if (originalScope==null || !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) {
-			url.append("&" + AuthorizationRequest.SCOPE + "=" + OAuth2Utils.formatParameterList(accessToken.getScope()));
+			url.append("&" + AuthorizationRequest.SCOPE + "={scope}");
+			vars.put("scope", OAuth2Utils.formatParameterList(accessToken.getScope()));
 		}
 		Map<String, Object> additionalInformation = accessToken.getAdditionalInformation();
 		for (String key : additionalInformation.keySet()) {
 			Object value = additionalInformation.get(key);
 			if (value != null) {
-				url.append("&" + key + "=" + value); // implicit call of .toString() here
+				url.append("&" + key + "={extra_" + key + "}");
+				vars.put("extra" + key, value);
 			}
 		}
+		UriTemplate template = new UriTemplate(url.toString());
 		// Do not include the refresh token (even if there is one)
-		return url.toString();
+		return template.expand(vars).toString();
 	}
 
 	private String generateCode(AuthorizationRequest authorizationRequest, Authentication authentication)

diff --git a/...java/org/springframework/security/oauth2/provider/endpoint/TestAuthorizationEndpoint.java b/...java/org/springframework/security/oauth2/provider/endpoint/TestAuthorizationEndpoint.java
@@ -22,6 +22,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashSet;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -225,7 +226,7 @@ public void testImplicitAppendsScopeWhenDefaulting() throws Exception {
 		endpoint.setTokenGranter(new TokenGranter() {
 			public OAuth2AccessToken grant(String grantType, AuthorizationRequest authorizationRequest) {
 				DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("FOO");
-				token.setScope(Collections.singleton("read"));
+				token.setScope(new LinkedHashSet<String>(Arrays.asList("read", "write")));
 				return token;
 			}
 		});
@@ -244,7 +245,7 @@ public boolean isApproved(AuthorizationRequest authorizationRequest, Authenticat
 		ModelAndView result = endpoint.authorize(model, "token", authorizationRequest.getAuthorizationParameters(),
 				sessionStatus, principal);
 		String url = ((RedirectView) result.getView()).getUrl();
-		assertTrue("Wrong scope: " + result, url.contains("&scope=read"));
+		assertTrue("Wrong scope: " + result, url.contains("&scope=read%20write"));
 	}
 
 	@Test(expected = InvalidScopeException.class)