From 2c8d5a19accffbcc260aadb513edbbb3c93e0552 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Tue, 10 Aug 2021 05:20:59 -0400 Subject: [PATCH] Remove comment in OAuth2AuthorizationCodeRequestAuthenticationProvider --- ...th2AuthorizationCodeRequestAuthenticationProvider.java | 8 -------- 1 file changed, 8 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java index 49ead129..ee529828 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java @@ -239,14 +239,6 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen .build(); this.authorizationService.save(authorization); -// TODO security checks for code parameter -// The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. -// A maximum authorization code lifetime of 10 minutes is RECOMMENDED. -// The client MUST NOT use the authorization code more than once. -// If an authorization code is used more than once, the authorization server MUST deny the request -// and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. -// The authorization code is bound to the client identifier and redirection URI. - String redirectUri = authorizationRequest.getRedirectUri(); if (!StringUtils.hasText(redirectUri)) { redirectUri = registeredClient.getRedirectUris().iterator().next();