fix(jans-auth-server): npe - regression in token endpoint (#2763)

* fix(jans-auth-server): npe - regression in token endpoint Native SSO #2518 #2762 * fix(jans-auth-server): added test for npe fix Native SSO #2518 #2762
JanssenProject · Oct 28, 2022 · fe659d7 · fe659d7
1 parent c368a02
commit fe659d7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/...-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java b/...-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java
@@ -173,10 +173,10 @@ public JSONObject processTokenExchange(String scope, Function<JsonWebResponse, V
     }
 
     public void putNewDeviceSecret(JSONObject jsonObj, String sessionDn, Client client, String scope) {
-        if (!scope.contains(ScopeConstants.DEVICE_SSO)) {
+        if (StringUtils.isBlank(scope) || !scope.contains(ScopeConstants.DEVICE_SSO)) {
             return;
         }
-        if (!ArrayUtils.contains(client.getGrantTypes(), GrantType.TOKEN_EXCHANGE)) {
+        if (client == null || !ArrayUtils.contains(client.getGrantTypes(), GrantType.TOKEN_EXCHANGE)) {
             log.debug("Skip device secret. Scope has {} value but client does not have Token Exchange Grant Type enabled ('urn:ietf:params:oauth:grant-type:token-exchange')", ScopeConstants.DEVICE_SSO);
             return;
         }

diff --git a/...h-server/server/src/test/java/io/jans/as/server/token/ws/rs/TokenExchangeServiceTest.java b/...h-server/server/src/test/java/io/jans/as/server/token/ws/rs/TokenExchangeServiceTest.java
@@ -47,6 +47,19 @@ public class TokenExchangeServiceTest {
     @InjectMocks
     private TokenExchangeService tokenExchangeService;
 
+    @Test
+    public void putNewDeviceSecret_whenScopeIsNull_shouldNotGenerateDeviceSecretAndShouldNotThrowNPE() {
+        SessionId sessionId = new SessionId();
+        Client client = new Client();
+        client.setGrantTypes(new GrantType[] {GrantType.AUTHORIZATION_CODE, GrantType.TOKEN_EXCHANGE});
+
+        final JSONObject jsonObj = new JSONObject();
+        tokenExchangeService.putNewDeviceSecret(jsonObj, "sessionDn", client, null);
+
+        assertTrue(sessionId.getDeviceSecrets().isEmpty());
+        assertFalse(jsonObj.has("device_token"));
+    }
+
     @Test
     public void putNewDeviceSecret_whenScopeDeviceSSOIsNotPresent_shouldNotGenerateDeviceSecret() {
         SessionId sessionId = new SessionId();
@@ -60,7 +73,6 @@ public void putNewDeviceSecret_whenScopeDeviceSSOIsNotPresent_shouldNotGenerateD
         assertFalse(jsonObj.has("device_token"));
     }
 
-
     @Test
     public void putNewDeviceSecret_whenTokenExchangeGrantIsNotPresent_shouldNotGenerateDeviceSecret() {
         SessionId sessionId = new SessionId();