Skip to content

Empty auth_code parameter results in 500 on /token #1671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aijazkeerio opened this issue Jul 12, 2024 · 3 comments
Closed

Empty auth_code parameter results in 500 on /token #1671

aijazkeerio opened this issue Jul 12, 2024 · 3 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@aijazkeerio
Copy link
Contributor

aijazkeerio commented Jul 12, 2024
edited
Loading

Describe the bug
Empty auth_code parameter results in 500 on /token
This is caused by https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java#L141

	private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
		// @formatter:off
		return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
				parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
				parameters.get(OAuth2ParameterNames.CODE) != null;
		// @formatter:on
	}

returns true even though code has no value.

To Reproduce
Create a request for /token and add param code with no value/string

Expected behavior
Empty auth_code parameter results in 400 on /token

Sample
At the point of https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java#L141
it should check if param has some value for example

private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
		// @formatter:off
		return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(
				parameters.get(OAuth2ParameterNames.GRANT_TYPE)) &&
				parameters.get(OAuth2ParameterNames.CODE) != null &&
				!parameters.get(OAuth2ParameterNames.CODE).toString().isBlank();
		// @formatter:on
	}
@aijazkeerio aijazkeerio added the type: bug A general bug label Jul 12, 2024
@jgrandja
Copy link
Collaborator

Thanks for reporting this @aijazkeerio. I've confirmed this is a bug.

Would you be interested in submitting a fix for this?

@jgrandja jgrandja self-assigned this Jul 16, 2024
@jgrandja jgrandja added this to the 1.2.6 milestone Jul 16, 2024
@aijazkeerio
Copy link
Contributor Author

Thanks for reporting this @aijazkeerio. I've confirmed this is a bug.

Would you be interested in submitting a fix for this?

Thanks @jgrandja Yes I am. I will create a draft PR soon.

@aijazkeerio aijazkeerio mentioned this issue Jul 26, 2024
Closed
@jgrandja
Copy link
Collaborator

jgrandja commented Aug 1, 2024

Closing in favour of gh-1680

@jgrandja jgrandja closed this as completed Aug 1, 2024
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: bug A general bug labels Aug 1, 2024
@jgrandja jgrandja removed this from the 1.2.6 milestone Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix empty code parameter in CodeVerifierAuthenticator aijazkeerio/spring-authorization-server
2 participants
@jgrandja @aijazkeerio