[jira] [Updated] (CXF-8368) org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (CXF-8368) org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge

Colm O hEigeartaigh (Jira)

     [ https://issues.apache.org/jira/browse/CXF-8368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated CXF-8368:
-------------------------------------
    Fix Version/s: 3.4.2

> org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-8368
>                 URL: https://issues.apache.org/jira/browse/CXF-8368
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.4.1
>            Reporter: Romain Manni-Bucau
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.4.2
>
>
> org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData sets code challenge after parent createAuthorizationData which calls org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService#createAuthorizationData which calls org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider#createSessionToken (when used) so the state will be created before the challenge is set which breaks the flow.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)