Skip to content

SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly #15165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Veil opened this issue May 24, 2024 · 2 comments
Closed

SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly #15165

Veil opened this issue May 24, 2024 · 2 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Milestone
6.3.1

Comments

@Veil
Copy link

Veil commented May 24, 2024

Describe the bug
Since the introduction of the authenticationConverter in 6.3, the default implementation (this::defaultAuthenticationConverter) does not add found scopes as granted authorities as part of introspection because the check if (!(scopes instanceof ArrayListFromString)) always returns false on line 261, as by the time the scopes list reaches here, it has been converted into a normal ArrayList in the accessor.getScopes() as part of the getClaimAsStringList default method without customising the ClaimConversionService and therefore fails the check above and returns an empty list.

To Reproduce
Use the default implementation of SpringOpaqueTokenIntrospector without customisation of it or the ClaimConversionService used by the ClaimAccessor interface.

Expected behavior
Scopes are added correctly as "SCOPE_" granted authorities.

Sample

Not sure a sample is required here? This is the default behaviour.
@Veil Veil added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 24, 2024
@jzheaux jzheaux self-assigned this May 28, 2024
@sjohnr sjohnr removed their assignment May 28, 2024
@jzheaux
Copy link
Contributor

jzheaux commented May 28, 2024

Thanks, @Veil, for the report. This is now fixed in main and will go out in the next snapshot.

@jzheaux jzheaux changed the title SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly since 6.3.0 SpringOpaqueTokenIntrospector does not add scopes as granted authorities properly May 28, 2024
@jzheaux jzheaux added this to the 6.3.1 milestone May 28, 2024
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 28, 2024
@Veil
Copy link
Author

Veil commented May 28, 2024

@jzheaux awesome. For personal curiosity, what's the thinking behind not supporting any other List implementation in the defaultAuthenticationConverter? It doesn't look like we're doing anything special with that type?

@jzheaux jzheaux mentioned this issue Jun 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
6.3.1
Development

No branches or pull requests
3 participants
@Veil @jzheaux @sjohnr