search

IdentityModel / AuthorizationServer

Sample implementation of an OAuth2 Authorization Server
Other
280 stars 136 forks source link

AS never checks if the client is Enabled #237

Closed rzontar closed 9 years ago

rzontar commented 9 years ago

Hi,

I believe we have accidentally found a security flaw in the AuthorizationServer. It seems like the AS never checks if the client is enabled or not. I believe a simple clause like the one in the ClientValidator.cs from the v3 should solve the problem.

var client = await _clients.FindClientByIdAsync(credential.ClientId);
if (client == null || client.Enabled == false)
{
    Logger.Error("Client not found in registry or not enabled: " + credential.ClientId);
    return null;
}

I think the AuthorizeRequestValidator.cs and TokenRequestValidator.cs are the only ones affected. Could you please verify this, before we attempt any fixes.

leastprivilege commented 9 years ago

Thanks!

Could you send me a PR?

rzontar commented 9 years ago

Hi,

Have you had a chance to review the PR?

leastprivilege commented 9 years ago

Hi,

sorry - yeah next week.

leastprivilege commented 9 years ago

merged