[jira] [Created] (CXF-8731) codeParam fetched in ClientCodeRequestFilter#processCodeResponse should get URL decoded

Thu, 30 Jun 2022 00:13:08 -0700 

Luke Xu created CXF-8731:
----------------------------

             Summary: codeParam fetched in 
ClientCodeRequestFilter#processCodeResponse should get URL decoded
                 Key: CXF-8731
                 URL: https://issues.apache.org/jira/browse/CXF-8731
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 3.4.0
            Reporter: Luke Xu


Hi,

I'm setting up some JAXRS resources behind Google OAuth Authorization using 
org.apache.cxf.rs.security.oauth2.client.ClientCodeRequestFilter. During the 
process, I have got the access code back successfully. However, 
ClientCodeRequestFilter can't go on to the next step to get the access token. 

Some debugging works shows that when ClientCodeRequestFilter calls 
processCodeResponse(), the codeParam fetched from the redirection request is 
not URL decoded. Google's code usually starts with '4/', while not decoded it's 
'4%2F'. The later OAuthClientUtils.getAccessToken() only works with '4/', the 
decoded code.

I think this should be a bug. But if it's me who missed some configuration, I'm 
also glad to know.

Thanks in advance.

 
{code:java}
protected void processCodeResponse(ContainerRequestContext rc,
                                   UriInfo ui,
                                   MultivaluedMap<String, String> 
requestParams) {

    MultivaluedMap<String, String> state = null;
    if (clientStateManager != null) {
        state = clientStateManager.fromRedirectState(mc, requestParams);
    }
    /*The following codeParam is URL encoded thus when it is passed on to the 
grant and the later OAuthClientUtils, the getAccessToken() fails.*/
    String codeParam = 
requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
    ClientAccessToken at = null;
    if (codeParam != null) {
        AuthorizationCodeGrant grant = prepareCodeGrant(codeParam, 
getAbsoluteRedirectUri(ui));
        if (state != null) {
            
grant.setCodeVerifier(state.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
        }
        at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, 
consumer, grant, useAuthorizationHeader);
    }
    ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, 
requestParams, state);
    if (at != null && clientTokenContextManager != null) {
        clientTokenContextManager.setClientTokenContext(mc, tokenContext);
    }
    setClientCodeRequest(tokenContext);
}
 {code}
 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to