Skip to content

ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sjohnr opened this issue Nov 4, 2024 · 1 comment
Closed

ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16038

sjohnr opened this issue Nov 4, 2024 · 1 comment
Assignees
@jonah1und1
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Milestone
6.3.9

Comments

@sjohnr
Copy link
Member

sjohnr commented Nov 4, 2024
edited
Loading

ServerBearerTokenAuthenticationConverter validates the query parameter access_token when allowUriQueryParameter is false. The spec states that

Resource servers MAY support this method.

for query string parameters, but does not indicate in the Error Codes section that the access_token parameter MUST be validated if the server doesn't support that particular method for resolving the token.

Note: This also applies to DefaultBearerTokenResolver, and includes when allowFormEncodedBodyParameter is set to false.
@sjohnr sjohnr added type: bug A general bug in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Nov 4, 2024
@sjohnr sjohnr added this to the 6.2.x milestone Nov 4, 2024
@sjohnr sjohnr self-assigned this Nov 4, 2024
@sjohnr sjohnr mentioned this issue Nov 4, 2024
Closed
@sjohnr sjohnr changed the title ServerBearerTokenAuthenticationConverter validates query param when allowUriQueryParameter is false ServerBearerTokenAuthenticationConverter validates parameters when not enabled Nov 4, 2024
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 5, 2024
@jonah1und1
Evaluate URI query parameter only if enabled in reactive stack
f0a8173 
Issue spring-projectsgh-16038
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 5, 2024
@jonah1und1
Evaluate parameter access token only if enabled in servlet stack
80fd041 
Issue spring-projectsgh-16038
@jonah1und1 jonah1und1 mentioned this issue Nov 5, 2024
Closed
@jonah1und1
Copy link
Contributor

I created a PR for this, please feel free to review it.

jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 5, 2024
@jonah1und1
Merge branch 'main' into spring-projectsgh-16038
0aa03fc 
# Conflicts:
#	oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
#	oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/authentication/ServerBearerTokenAuthenticationConverter.java
#	oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 5, 2024
@jonah1und1
comply with formatting rules
dd7d303 
spring-projectsgh-16038
@sjohnr sjohnr assigned jonah1und1 and unassigned sjohnr Nov 5, 2024
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 6, 2024
@jonah1und1
these lines can be omitted since they are the default
cbd6613 
spring-projectsgh-16038
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 6, 2024
@jonah1und1
add test case with 2 query parameters and support disabled
b6c49b5 
spring-projectsgh-16038
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 6, 2024
@jonah1und1
remove redundant test case [same as resolveWhenQueryParameterIsPresen…
ac39cf7 
…tAndNotSupportedThenTokenIsNotResolved()]

spring-projectsgh-16038
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 6, 2024
@jonah1und1
reformat
b9ae6ef 
spring-projectsgh-16038
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Nov 6, 2024
@jonah1und1
fix failing tests
94c0e34 
spring-projectsgh-16038
@sjohnr sjohnr modified the milestones: 6.2.x, 6.3.9 Apr 7, 2025
@sjohnr sjohnr mentioned this issue Apr 7, 2025
Closed
@sjohnr sjohnr added the status: duplicate A duplicate of another issue label Apr 7, 2025
sjohnr pushed a commit that referenced this issue Apr 7, 2025
@jonah1und1 @sjohnr
Evaluate URI query parameter only if enabled
da94fbe 
Issue gh-16038
@sjohnr sjohnr closed this as completed in 3c0fef5 Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonah1und1 jonah1und1

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
6.3.9
Development

No branches or pull requests
2 participants
@sjohnr @jonah1und1