Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-23037

Put oauth2Grant.jsp behind the authentication filter and reject GET on /oauth2/authorize_submit and /oauth2/token

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9.3
    • Component/s: OAuth

      Description

      Currently, we can get the oauth2Grant.jsp page without being authenticated.
      This is not a security issue since the POST to /oauth2/authorize_submit is protected by the authentication filter.

      Yet, once logged in, a GET is called on /oauth2/authorize_submit that leads to a 404. By putting oauth2Grant.jsp behind the authentication filter, the POST will return an OAuth 2 error due to the missing parameters which is better.

      Moreover, calling a GET on /oauth2/authorize_submit should return an OAuth 2 error page with the status code 405 Method Not Allowed.
      Currently, this scenario leads to a 404:

      • Log in Nuxeo on the Chrome mobile browser
      • Open in app, we are logged in so we get the OAuth 2 grant page directly
      • Log out from Nuxeo in Chrome
      • In the app click on grant
      • Log in Nuxeo within the app

      Having an OAuth 2 error page will be better.

      Same thing for /oauth2/token.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.