Skip to content

JwtTimeStampValidator uses wrong error on token expiration #10319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jason076 opened this issue Sep 24, 2021 · 1 comment
Closed

JwtTimeStampValidator uses wrong error on token expiration #10319

jason076 opened this issue Sep 24, 2021 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.6.0-RC1

Comments

@jason076
Copy link
Contributor

Summary

I think the JwtTimeStampValidator uses the wrong error type when a token expires:

spring-security/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java

Line 93 in 339a053

return new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST, reason,

As listed in https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 it should use INVALID_TOKEN error.

Actual Behavior

JwtTimeStampValidator uses INVALID_REQUEST error when a token expires

Expected Behavior

JwtTimeStampValidator should uses INVALID_TOKEN error when a token expires

Version

5.5.2

Sample

spring-security/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java

Line 93 in 339a053

return new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST, reason,

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 24, 2021
@eleftherias eleftherias added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 24, 2021
@jzheaux jzheaux added the type: bug A general bug label Sep 28, 2021
@jzheaux jzheaux added this to the 5.6.0-RC1 milestone Sep 28, 2021
jzheaux added a commit that referenced this issue Sep 28, 2021
@jzheaux
Fix OAuth2 Error Code
1f919bc 
Closes gh-10319
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Sep 28, 2021
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Sep 28, 2021

Thanks for the report, @jason076. This has now been fixed in main and backported to 5.5.x.

jzheaux added a commit that referenced this issue Sep 28, 2021
@jzheaux
Fix OAuth2 Error Code
4df9b45 
Closes gh-10319
Closed
jzheaux added a commit that referenced this issue Sep 28, 2021
@jzheaux
Fix OAuth2 Error Code
dc95d8d 
Closes gh-10319
Closed
@jason076 jason076 mentioned this issue Oct 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.6.0-RC1
Development

No branches or pull requests
4 participants
@jzheaux @jason076 @eleftherias @spring-projects-issues