Merge branch '1.3.x'

1 year ago · c0182f5441
2 changed files with 30 additions and 5 deletions
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java
@ -137,11 +137,14 @@ final class CodeVerifierAuthenticator {
				@@ -137,11 +137,14 @@ final class CodeVerifierAuthenticator {
 	}

 	private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
-		// @formatter:off
-		return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
-				parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
-				parameters.get(OAuth2ParameterNames.CODE) != null;
-		// @formatter:on
+		if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue()
+			.equals(parameters.get(OAuth2ParameterNames.GRANT_TYPE))) {
+			return false;
+		}
+		if (!StringUtils.hasText((String) parameters.get(OAuth2ParameterNames.CODE))) {
+			throwInvalidGrant(OAuth2ParameterNames.CODE);
+		}
+		return true;
 	}

 	private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
@ -515,6 +515,28 @@ public class OAuth2AuthorizationCodeGrantTests {
				@@ -515,6 +515,28 @@ public class OAuth2AuthorizationCodeGrantTests {
 			.isEqualTo(true);
 	}

+	// gh-1680
+	@Test
+	public void requestWhenPublicClientWithPkceAndEmptyCodeThenBadRequest() throws Exception {
+		this.spring.register(AuthorizationServerConfiguration.class).autowire();
+
+		RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build();
+		this.registeredClientRepository.save(registeredClient);
+
+		MultiValueMap<String, String> tokenRequestParameters = new LinkedMultiValueMap<>();
+		tokenRequestParameters.set(OAuth2ParameterNames.GRANT_TYPE,
+				AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
+		tokenRequestParameters.set(OAuth2ParameterNames.CODE, "");
+		tokenRequestParameters.set(OAuth2ParameterNames.REDIRECT_URI,
+				registeredClient.getRedirectUris().iterator().next());
+
+		this.mvc
+			.perform(post(DEFAULT_TOKEN_ENDPOINT_URI).params(tokenRequestParameters)
+				.param(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
+				.param(PkceParameterNames.CODE_VERIFIER, S256_CODE_VERIFIER))
+			.andExpect(status().isBadRequest());
+	}
+
 	@Test
 	public void requestWhenConfidentialClientWithPkceAndMissingCodeVerifierThenBadRequest() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();