From 738ce7cd964037c4cf2649cc1b168829570ea71a Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Fri, 2 Aug 2024 13:08:47 +0300 Subject: [PATCH] fix(oxauth): introspection endpoint returns error for valid basic client authentication and invalid token #1916 --- .../ws/rs/IntrospectionWebService.java | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java b/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java index 7c98a20f3..6a0dddcbd 100644 --- a/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java +++ b/Server/src/main/java/org/gluu/oxauth/introspection/ws/rs/IntrospectionWebService.java @@ -11,12 +11,7 @@ import org.apache.commons.lang.StringUtils; import org.gluu.oxauth.claims.Audience; import org.gluu.oxauth.model.authorize.AuthorizeErrorResponseType; -import org.gluu.oxauth.model.common.AbstractToken; -import org.gluu.oxauth.model.common.AccessToken; -import org.gluu.oxauth.model.common.AuthorizationGrant; -import org.gluu.oxauth.model.common.AuthorizationGrantList; -import org.gluu.oxauth.model.common.IntrospectionResponse; -import org.gluu.oxauth.model.common.TokenType; +import org.gluu.oxauth.model.common.*; import org.gluu.oxauth.model.config.WebKeysConfiguration; import org.gluu.oxauth.model.configuration.AppConfiguration; import org.gluu.oxauth.model.error.ErrorResponseFactory; @@ -38,14 +33,7 @@ import javax.inject.Inject; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.FormParam; -import javax.ws.rs.GET; -import javax.ws.rs.HeaderParam; -import javax.ws.rs.POST; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.QueryParam; -import javax.ws.rs.WebApplicationException; +import javax.ws.rs.*; import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -108,7 +96,7 @@ public Response introspectPost(@HeaderParam("Authorization") String p_authorizat return introspect(p_authorization, p_token, tokenTypeHint, responseAsJwt, httpRequest, httpResponse); } - private AuthorizationGrant validateAuthorization(String p_authorization, String p_token) throws UnsupportedEncodingException { + private AuthorizationGrant validateAuthorization(String p_authorization, String p_token) throws IOException { final boolean skipAuthorization = ServerUtil.isTrue(appConfiguration.getIntrospectionSkipAuthorization()); log.trace("skipAuthorization: {}", skipAuthorization); if (skipAuthorization) { @@ -123,7 +111,11 @@ private AuthorizationGrant validateAuthorization(String p_authorization, String final Pair pair = getAuthorizationGrant(p_authorization, p_token); final AuthorizationGrant authorizationGrant = pair.getFirst(); if (authorizationGrant == null) { - log.error("Authorization grant is null."); + log.debug("Authorization grant is null."); + if (isTrue(pair.getSecond())) { + final IntrospectionResponse response = new IntrospectionResponse(false); + throw new WebApplicationException(Response.status(Response.Status.OK).entity(ServerUtil.asJson(response)).type(MediaType.APPLICATION_JSON_TYPE).build()); + } throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, "Authorization grant is null.")).build()); }