Skip to content

OAuth2AuthorizationRequestDeserializer fails on multi-valued request parameters #1666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stefanocke opened this issue Jul 1, 2024 · 3 comments
Closed

OAuth2AuthorizationRequestDeserializer fails on multi-valued request parameters #1666

stefanocke opened this issue Jul 1, 2024 · 3 comments
Assignees
@MrJovanovic13
Labels
status: duplicate A duplicate of another issue type: bug A general bug

Comments

@stefanocke
Copy link

stefanocke commented Jul 1, 2024
edited
Loading

Describe the bug
#1250 introduced to store mutli-valued OAuth2 Authorization Request parameters as string arrays.
This seems to lead to the following exception when serializing and de-serializing the request, like done by JdbcOAuth2AuthorizationService.

Caused by: java.lang.IllegalArgumentException: The class with [Ljava.lang.String; and name of [Ljava.lang.String; is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
	at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:285)
	at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159)
	at com.fasterxml.jackson.databind.jsontype.impl.AsArrayTypeDeserializer._deserialize(AsArrayTypeDeserializer.java:97)
	at com.fasterxml.jackson.databind.jsontype.impl.AsArrayTypeDeserializer.deserializeTypedFromArray(AsArrayTypeDeserializer.java:53)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:211)
	at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializerNR.deserializeWithType(UntypedObjectDeserializerNR.java:115)
	at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
	at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4706)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2879)
	at org.springframework.security.oauth2.server.authorization.jackson2.UnmodifiableMapDeserializer.deserialize(UnmodifiableMapDeserializer.java:47)
	at org.springframework.security.oauth2.server.authorization.jackson2.UnmodifiableMapDeserializer.deserialize(UnmodifiableMapDeserializer.java:37)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:144)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:110)
	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:492)
	at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74)
	at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4444)
	at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4390)
	at org.springframework.security.oauth2.server.authorization.jackson2.JsonNodeUtils.findValue(JsonNodeUtils.java:53)
	at org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationRequestDeserializer.deserialize(OAuth2AuthorizationRequestDeserializer.java:60)
	at org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationRequestDeserializer.deserialize(OAuth2AuthorizationRequestDeserializer.java:46)
	at org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationRequestDeserializer.deserialize(OAuth2AuthorizationRequestDeserializer.java:39)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:144)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:110)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:213)
	at com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializerNR.deserializeWithType(UntypedObjectDeserializerNR.java:115)
	at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
	at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:4706)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2879)
	at org.springframework.security.oauth2.server.authorization.jackson2.UnmodifiableMapDeserializer.deserialize(UnmodifiableMapDeserializer.java:47)
	at org.springframework.security.oauth2.server.authorization.jackson2.UnmodifiableMapDeserializer.deserialize(UnmodifiableMapDeserializer.java:37)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:144)
	at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:110)
	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserializeWithType(MapDeserializer.java:492)
	at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74)
	at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:323)
	at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4730)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3677)
	at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3660)
	at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.parseMap(JdbcOAuth2AuthorizationService.java:537)
	... 193 common frames omitted

My assumption is that the OAuth2AuthorizationRequestDeserializer does not support string arrays for "additionalParameters".

To Reproduce

  • use JdbcOAuth2AuthorizationService (to force JSON serialisation)
  • append some multi-valued parameter to the authorization code request, like foo=1234&foo=4567
  • do the authorization code flow

Expected behavior
There should be no exception when using JdbcOAuth2AuthorizationService and multi-valued params.
@stefanocke stefanocke added the type: bug A general bug label Jul 1, 2024
@jgrandja
Copy link
Collaborator

jgrandja commented Jul 8, 2024

@stefanocke Thanks for reporting this. I've confirmed this is a bug. It appears we need to register a mixin in OAuth2AuthorizationServerJackson2Module for String[].

Would you be interested in submitting a fix for this?

@jgrandja jgrandja added this to the 1.2.6 milestone Jul 8, 2024
@MrJovanovic13
Copy link
Contributor

Hi @jgrandja,

Since OP is not replying, could I work on this issue? Thanks!

@jgrandja
Copy link
Collaborator

Yes, please @MrJovanovic13. Thank you.

MrJovanovic13 added a commit to MrJovanovic13/spring-authorization-server that referenced this issue Jul 22, 2024
@MrJovanovic13
Register String[] mixin
c0fb24a 
Fixes spring-projectsgh-1666
MrJovanovic13 added a commit to MrJovanovic13/spring-authorization-server that referenced this issue Jul 22, 2024
@MrJovanovic13
Register String[] mixin
7c1f5a3 
Fixes spring-projectsgh-1666
MrJovanovic13 added a commit to MrJovanovic13/spring-authorization-server that referenced this issue Jul 22, 2024
@MrJovanovic13
Register String[] mixin
908fd15 
Fixes spring-projectsgh-1666
MrJovanovic13 added a commit to MrJovanovic13/spring-authorization-server that referenced this issue Jul 22, 2024
@MrJovanovic13
Register String[] mixin
c18e8b3 
Fixes spring-projectsgh-1666
MrJovanovic13 added a commit to MrJovanovic13/spring-authorization-server that referenced this issue Jul 22, 2024
@MrJovanovic13
Register String[] mixin
2798ca7 
Fixes spring-projectsgh-1666
@jgrandja jgrandja removed this from the 1.2.6 milestone Jul 31, 2024
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Jul 31, 2024
This was referenced Jul 31, 2024
Closed
Closed
@jgrandja jgrandja mentioned this issue Jul 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MrJovanovic13 MrJovanovic13

Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stefanocke @jgrandja @MrJovanovic13