diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java index f6555613c..887b337ae 100644 --- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java +++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java @@ -12,6 +12,7 @@ *******************************************************************************/ package org.springframework.security.oauth2.provider.token; +import com.sun.org.apache.xpath.internal.operations.Bool; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.http.HttpEntity; @@ -41,7 +42,6 @@ * * @author Dave Syer * @author Luke Taylor - * */ public class RemoteTokenServices implements ResourceServerTokenServices { @@ -112,9 +112,10 @@ public OAuth2Authentication loadAuthentication(String accessToken) throws Authen throw new InvalidTokenException(accessToken); } + Object activeValue = map.get("active"); // gh-838 - if (!Boolean.TRUE.equals(map.get("active"))) { - logger.debug("check_token returned active attribute: " + map.get("active")); + if (!(Boolean.TRUE.equals(activeValue) || Boolean.TRUE.toString().equals(activeValue))) { + logger.debug("check_token returned active attribute: " + activeValue); throw new InvalidTokenException(accessToken); } diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java index 709755ff5..89782795f 100644 --- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java +++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java @@ -89,4 +89,16 @@ public void loadAuthenticationWhenIntrospectionResponseMissingActiveAttributeThe this.remoteTokenServices.loadAuthentication("access-token-1234"); } + @Test + public void loadAuthenticationWhenIntrospectionResponseContainsActiveTrueByStringThenReturnAuthentication() throws Exception { + Map responseAttrs = new HashMap(); + responseAttrs.put("active", "true"); // "active" is the only required attribute as per RFC 7662 (https://tools.ietf.org/search/rfc7662#section-2.2) + ResponseEntity response = new ResponseEntity(responseAttrs, HttpStatus.OK); + RestTemplate restTemplate = mock(RestTemplate.class); + when(restTemplate.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(Class.class))).thenReturn(response); + this.remoteTokenServices.setRestTemplate(restTemplate); + + OAuth2Authentication authentication = this.remoteTokenServices.loadAuthentication("access-token-1234"); + assertNotNull(authentication); + } } \ No newline at end of file