From 87226ef722c24e261da01bcc3872485427c8211c Mon Sep 17 00:00:00 2001 From: Federica Agostini Date: Wed, 6 Dec 2023 17:22:26 +0100 Subject: [PATCH] Reset client secret when authN is set to none or else, generate a new Random secret. --- .../DefaultClientRegistrationService.java | 1 - .../api/client/service/ClientConverter.java | 25 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java index a88b25808..e009d674f 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/registration/service/DefaultClientRegistrationService.java @@ -383,7 +383,6 @@ public RegisteredClientDTO updateClient(String clientId, RegisteredClientDTO req ClientDetailsEntity newClient = converter.entityFromRegistrationRequest(request); newClient.setId(oldClient.getId()); - newClient.setClientSecret(oldClient.getClientSecret()); newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds()); newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds()); newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds()); diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java index 54b4692ab..78bcbf2cc 100644 --- a/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java +++ b/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/ClientConverter.java @@ -15,6 +15,9 @@ */ package it.infn.mw.iam.api.client.service; +import java.math.BigInteger; +import java.security.SecureRandom; + import static java.util.Objects.isNull; import static java.util.stream.Collectors.toSet; @@ -40,6 +43,9 @@ import it.infn.mw.iam.config.IamProperties; import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties; +import org.apache.commons.codec.binary.Base64; + + @Component public class ClientConverter { @@ -48,6 +54,9 @@ public class ClientConverter { private final String clientRegistrationBaseUrl; private final ClientRegistrationProperties clientProperties; + + private static final int SECRET_SIZE = 512; + private static final SecureRandom RNG = new SecureRandom(); @Autowired public ClientConverter(IamProperties properties, ClientRegistrationProperties clientProperties) { @@ -173,6 +182,10 @@ public RegisteredClientDTO registeredClientDtoFromEntity(ClientDetailsEntity ent clientDTO.setRequireAuthTime(false); } + if (entity.getTokenEndpointAuthMethod() == AuthMethod.NONE) { + clientDTO.setClientSecret(null); + } + return clientDTO; } @@ -221,6 +234,12 @@ public ClientDetailsEntity entityFromRegistrationRequest(RegisteredClientDTO dto if (isNull(dto.getTokenEndpointAuthMethod())) { client.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); + } else if (dto.getTokenEndpointAuthMethod().equals(TokenEndpointAuthenticationMethod.none)) { + client.setTokenEndpointAuthMethod(AuthMethod.NONE); + client.setClientSecret(null); + } else if (!dto.getTokenEndpointAuthMethod().equals(TokenEndpointAuthenticationMethod.none) + && isNull(client.getClientSecret())) { + client.setClientSecret(generateClientSecret()); } else { client .setTokenEndpointAuthMethod(AuthMethod.getByValue(dto.getTokenEndpointAuthMethod().name())); @@ -247,4 +266,10 @@ public RegisteredClientDTO registrationResponseFromClient(ClientDetailsEntity en return response; } + public String generateClientSecret() { + return Base64.encodeBase64URLSafeString(new BigInteger(SECRET_SIZE, RNG).toByteArray()) + .replace("=", ""); + + } + }