From c38d3edad8ae41627626e0df1683f156550f2a7d Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Thu, 9 Mar 2023 13:07:36 -0600 Subject: [PATCH] Use spec-recommended user code format --- ...ceAuthorizationRequestAuthenticationProvider.java | 12 ++++++++++-- .../web/authentication/OAuth2EndpointUtils.java | 8 +++++--- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java index e4acd8d31..27867b065 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java @@ -224,6 +224,13 @@ public OAuth2DeviceCode generate(OAuth2TokenContext context) { private static final class UserCodeStringKeyGenerator implements StringKeyGenerator { + // @formatter:off + private static final char[] VALID_CHARS = { + 'B', 'C', 'D', 'F', 'G', 'H', 'J', 'K', 'L', 'M', + 'N', 'P', 'Q', 'R', 'S', 'T', 'V', 'W', 'X', 'Z' + }; + // @formatter:on + private final BytesKeyGenerator keyGenerator; public UserCodeStringKeyGenerator() { @@ -235,9 +242,10 @@ public String generateKey() { byte[] bytes = this.keyGenerator.generateKey(); StringBuilder sb = new StringBuilder(); for (byte b : bytes) { - int offset = Math.abs(b % 26); - sb.append((char) ('A' + offset)); + int offset = Math.abs(b % 20); + sb.append(VALID_CHARS[offset]); } + sb.insert(4, '-'); return sb.toString(); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java index 72f98818d..f9a22b434 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java @@ -17,7 +17,6 @@ import java.util.Collections; import java.util.HashMap; -import java.util.Locale; import java.util.Map; import jakarta.servlet.http.HttpServletRequest; @@ -84,8 +83,11 @@ static void throwError(String errorCode, String parameterName, String errorUri) } static String normalizeUserCode(String userCode) { - Assert.notNull(userCode, "userCode cannot be null"); - return userCode.toUpperCase(Locale.ROOT).replaceAll("[^A-Z]+", ""); + Assert.hasText(userCode, "userCode cannot be empty"); + StringBuilder sb = new StringBuilder(userCode.toUpperCase().replaceAll("[^A-Z\\d]+", "")); + Assert.isTrue(sb.length() == 8, "userCode must be exactly 8 alpha/numeric characters"); + sb.insert(4, '-'); + return sb.toString(); } }