OAuth Details API is initiating the transaction despite a mismatch be…

…tween the aud claim in the provided ID token and the clientId Signed-off-by: Md-Humair-KK <[email protected]>
mosip · Dec 15, 2024 · 816510e · 816510e
1 parent ce72dcb
commit 816510e
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 3 deletions.
diff --git a/oidc-service-impl/src/main/java/io/mosip/esignet/services/AuthorizationHelperService.java b/oidc-service-impl/src/main/java/io/mosip/esignet/services/AuthorizationHelperService.java
@@ -399,7 +399,7 @@ protected String validateAndGetSubject(String clientId, String idTokenHint) {
                 String payload = new String(Base64.getDecoder().decode(jwtParts[1]));
                 JSONObject payloadJson = new JSONObject(payload);
                 String audience = payloadJson.getString(TokenService.AUD);
-                if(!signupIDTokenAudience.equals(audience) && signupIDTokenAudience.equals(clientId))
+                if(!signupIDTokenAudience.equals(audience) || !signupIDTokenAudience.equals(clientId))
                     throw new EsignetException(ErrorConstants.INVALID_ID_TOKEN_HINT);
                 return payloadJson.getString(TokenService.SUB);
             }

diff --git a/oidc-service-impl/src/test/java/io/mosip/esignet/services/AuthorizationServiceTest.java b/oidc-service-impl/src/test/java/io/mosip/esignet/services/AuthorizationServiceTest.java
@@ -849,13 +849,13 @@ public void getOauthDetailsV3_withValidIDTokenHint_thenPass() {
         ClientDetail clientDetail = new ClientDetail();
         clientDetail.setName(new HashMap<>());
         clientDetail.getName().put(Constants.NONE_LANG_KEY, "clientName");
-        clientDetail.setId("34567");
+        clientDetail.setId("mosip-signup-oauth-client");
         clientDetail.setRedirectUris(Arrays.asList("https://localshot:3044/logo.png","http://localhost:8088/v1/idp","/v1/idp"));
         clientDetail.setClaims(Arrays.asList("email","given_name"));
         clientDetail.setAcrValues(Arrays.asList("mosip:idp:acr:generated-code", "mosip:idp:acr:wallet"));
 
         OAuthDetailRequestV3 oauthDetailRequest = new OAuthDetailRequestV3();
-        oauthDetailRequest.setClientId("34567");
+        oauthDetailRequest.setClientId("mosip-signup-oauth-client");
         oauthDetailRequest.setRedirectUri("http://localhost:8088/v1/idp");
         oauthDetailRequest.setNonce("test-nonce");
         ClaimsV2 claims = new ClaimsV2();
@@ -879,10 +879,45 @@ public void getOauthDetailsV3_withValidIDTokenHint_thenPass() {
         Assert.assertNotNull(oauthDetailResponseV2);
     }
 
+    @Test
+    public void getOauthDetailsV3_withValidIDTokenHintClientIdAndAUDMismatch_thenFail() {
+        ClientDetail clientDetail = new ClientDetail();
+        clientDetail.setName(new HashMap<>());
+        clientDetail.getName().put(Constants.NONE_LANG_KEY, "clientName");
+        clientDetail.setId("34567");
+        clientDetail.setRedirectUris(Arrays.asList("https://localshot:3044/logo.png","http://localhost:8088/v1/idp","/v1/idp"));
+        clientDetail.setClaims(Arrays.asList("email","given_name"));
+        clientDetail.setAcrValues(Arrays.asList("mosip:idp:acr:generated-code", "mosip:idp:acr:wallet"));
+
+        OAuthDetailRequestV3 oauthDetailRequest = new OAuthDetailRequestV3();
+        oauthDetailRequest.setClientId("34567");
+        oauthDetailRequest.setRedirectUri("http://localhost:8088/v1/idp");
+        oauthDetailRequest.setNonce("test-nonce");
+        ClaimsV2 claims = new ClaimsV2();
+        claims.setId_token(new HashMap<>());
+        ClaimDetail claimDetail = new ClaimDetail();
+        claimDetail.setValues(new String[]{"mosip:idp:acr:wallet", "mosip:idp:acr:webauthn"});
+        claims.getId_token().put("acr", claimDetail);
+        oauthDetailRequest.setClaims(claims);
+        oauthDetailRequest.setAcrValues("mosip:idp:acr:biometrics mosip:idp:acr:generated-code");
+        oauthDetailRequest.setIdTokenHint("eyJraWQiOiJtbG02RVNRaFB5dVVsWmY0dnBZbGJTVWlSMXBXcG5jdW9kamtnRjNaNU5nIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJxWS0tNVk0VG9Ga1dUb1hKclJGbVBXUEhEWkxrY2lNTDQtX2cxTDJBNXhJIiwiYXVkIjoibW9zaXAtc2lnbnVwLW9hdXRoLWNsaWVudCIsImFjciI6Im1vc2lwOmlkcDphY3I6Z2VuZXJhdGVkLWNvZGUiLCJhdXRoX3RpbWUiOjE3MjUyNjk4ODUsImlzcyI6Imh0dHBzOlwvXC9lc2lnbmV0bDIuY2FtZGdjLXFhLm1vc2lwLm5ldFwvdjFcL2VzaWduZXQiLCJleHAiOjE3MjUyNzAwNzMsImlhdCI6MTcyNTI2OTg5Mywibm9uY2UiOiI5NzNlaWVsanpuZyJ9.VMMn92CFzGkVyx8Jwrq03KhuXOXj3wRlUoxZQQBN7MxlfIxGSX_yE7iw3JWxohzQuHticndtQX2LELcGTPhclzRop3skHCeo6ZPGJklCiRA3F5SyfCYLvDprgE_-pQhLWeECqRtW_8jFFgZSORMoxy8eBj5Vvc8q2zcoDjE-JiLZvqE9UWDRpAKzumJcD3iJvBwE-9jkzQtWZbp-tZrpPrm-KCZU6-Q3qhWU23E9DSMg_6byq4iH51TFwO0nHW1kaxhsqHvCsTX7YTvmfWXUwPVRLNZh5Uszt8EIsgpKIUDkRImqmCUbP1LwoFG55MsW67QzHNTFuR6H-4LidSKnnA");
+
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.setCookies(new Cookie("qY--5Y4ToFkWToXJrRFmPWPHDZLkciML4-_g1L2A5xI", "5Y4ToFkWToXJrRFmPWPHDZLkciML4"+SERVER_NONCE_SEPARATOR+"test-state"));
+
+        try {
+            OAuthDetailResponseV2 oauthDetailResponseV2 = authorizationServiceImpl.getOauthDetailsV3(oauthDetailRequest, request);
+            Assert.assertNotNull(oauthDetailResponseV2);
+        } catch (EsignetException e) {
+            Assert.assertEquals(ErrorConstants.INVALID_ID_TOKEN_HINT, e.getErrorCode());
+        }
+    }
+
     @Test
     public void getOauthDetailsV3_withValidIDTokenHintNoCookie_thenFail() throws Exception {
         OAuthDetailRequestV3 oauthDetailRequest = new OAuthDetailRequestV3();
         oauthDetailRequest.setIdTokenHint("eyJraWQiOiJtbG02RVNRaFB5dVVsWmY0dnBZbGJTVWlSMXBXcG5jdW9kamtnRjNaNU5nIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJxWS0tNVk0VG9Ga1dUb1hKclJGbVBXUEhEWkxrY2lNTDQtX2cxTDJBNXhJIiwiYXVkIjoibW9zaXAtc2lnbnVwLW9hdXRoLWNsaWVudCIsImFjciI6Im1vc2lwOmlkcDphY3I6Z2VuZXJhdGVkLWNvZGUiLCJhdXRoX3RpbWUiOjE3MjUyNjk4ODUsImlzcyI6Imh0dHBzOlwvXC9lc2lnbmV0bDIuY2FtZGdjLXFhLm1vc2lwLm5ldFwvdjFcL2VzaWduZXQiLCJleHAiOjE3MjUyNzAwNzMsImlhdCI6MTcyNTI2OTg5Mywibm9uY2UiOiI5NzNlaWVsanpuZyJ9.VMMn92CFzGkVyx8Jwrq03KhuXOXj3wRlUoxZQQBN7MxlfIxGSX_yE7iw3JWxohzQuHticndtQX2LELcGTPhclzRop3skHCeo6ZPGJklCiRA3F5SyfCYLvDprgE_-pQhLWeECqRtW_8jFFgZSORMoxy8eBj5Vvc8q2zcoDjE-JiLZvqE9UWDRpAKzumJcD3iJvBwE-9jkzQtWZbp-tZrpPrm-KCZU6-Q3qhWU23E9DSMg_6byq4iH51TFwO0nHW1kaxhsqHvCsTX7YTvmfWXUwPVRLNZh5Uszt8EIsgpKIUDkRImqmCUbP1LwoFG55MsW67QzHNTFuR6H-4LidSKnnA");
+        oauthDetailRequest.setClientId("mosip-signup-oauth-client");
         MockHttpServletRequest request = new MockHttpServletRequest();
         try {
             authorizationServiceImpl.getOauthDetailsV3(oauthDetailRequest, request);