mindol1004/spring-authorization-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove comment in OAuth2AuthorizationCodeRequestAuthenticationProvider

Browse Source
This commit is contained in:
Joe Grandja
2021-08-10 05:20:59 -04:00
parent 6b5d9f0fe5
commit 2c8d5a19ac
1 changed files with 0 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
View File

@@ -239,14 +239,6 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen
.build();
this.authorizationService.save(authorization);
// TODO security checks for code parameter
// The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks.
// A maximum authorization code lifetime of 10 minutes is RECOMMENDED.
// The client MUST NOT use the authorization code more than once.
// If an authorization code is used more than once, the authorization server MUST deny the request
// and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
// The authorization code is bound to the client identifier and redirection URI.
String redirectUri = authorizationRequest.getRedirectUri();
if (!StringUtils.hasText(redirectUri)) {
redirectUri = registeredClient.getRedirectUris().iterator().next();