Skip to content

Improve ClaimAccessor getClaimAsInstant #5250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Apr 20, 2018 · 2 comments
Closed

Improve ClaimAccessor getClaimAsInstant #5250

jzheaux opened this issue Apr 20, 2018 · 2 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.1.0.M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Apr 20, 2018

Summary

ClaimAccessor#getClaimAsInstant attempts to coerce a claim into an Instant, so long as it is of type Long, Date, or Instant.

Actual Behavior

ClaimAccessor#getClaimAsInstant fails when the claim is of type Integer

Expected Behavior

ClaimAccessor#getClaimAsInstant should be resilient to all whole-number data types, but at least those that extend from Number.

Version

5.1.0.BUILD-SNAPSHOT
@jzheaux jzheaux added type: enhancement A general enhancement JWT-JOSE labels Apr 20, 2018
@jgrandja jgrandja added this to the 5.1.0.M1 milestone Apr 20, 2018
@jgrandja jgrandja assigned jgrandja and jzheaux and unassigned jgrandja Apr 20, 2018
@jgrandja jgrandja assigned jgrandja and unassigned jzheaux May 4, 2018
YuchangLi added a commit to YuchangLi/spring-security that referenced this issue May 4, 2018
@YuchangLi
upgrade (#2)
c580069 
* Update GAE 1.9.63

Fixes: spring-projectsgh-5277

* Update Spring Boot 2.0.1.RELEASE

Fixes: spring-projectsgh-5278

# Conflicts:
#	gradle.properties

* Update to nimbus-jose-jwt:5.10

Fixes: spring-projectsgh-5279

* Update to oauth2-oidc-sdk:5.61

Fixes: spring-projectsgh-5280

* Update to javax.servlet-api:4.0.1

Fixes: spring-projectsgh-5281

* Update to aspectj 1.9.1

Fixes: spring-projectsgh-5282

* Update to htmlunit:2.30

Fixes: spring-projectsgh-5283

* Update to mockito-core:2.18.3

Fixes: spring-projectsgh-5284

* Update to selenium 3.11.0

Fixes: spring-projectsgh-5289

* Update to Spring Framework 5.0.6.BUILD-SNAPSHOT

Issue: spring-projectsgh-5290

# Conflicts:
#	gradle/dependency-management.gradle

* Add update-dependencies.sh

Fixes: spring-projectsgh-5276

* Improve PasswordEncoder deprecated notices

Fixes: spring-projectsgh-5296

* NimbusUserInfoResponseClient sets Accept header to JSON

Fixes spring-projectsgh-5294

* Add test NimbusUserInfoResponseClient sets Accept header to JSON

Issue spring-projectsgh-5294

* Improve ClaimAccessor getClaimAsInstant

Fixes spring-projectsgh-5250

* Fix incorrect explanation for customizing query on JdbcDaoImpl
@sirianni
Copy link

I'm getting a similar error when the claims value is a java.lang.String. Using the auth0 API, updated_at is returned as 2018-06-12T01:35:40.304Z. Even though this is a valid ISO Date, this is getting stored as a java.lang.String in the underlying claims map from the JWT, which is ultimately resulting in the IllegalArgumentException. I'm not sure why getClaimAsInstant is assuming that the JWT library would have the intelligence to parse Strings into Dates - it doesn't attach any semantics to the fields.

java.lang.IllegalArgumentException: Unable to convert claim 'updated_at' of type 'class java.lang.String' to Instant.
	at org.springframework.security.oauth2.core.ClaimAccessor.getClaimAsInstant(ClaimAccessor.java:96)
	at org.springframework.security.oauth2.core.oidc.StandardClaimAccessor.getUpdatedAt(StandardClaimAccessor.java:218)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)

@jgrandja
Copy link
Contributor

@sirianni As per the spec, in 5.1. Standard Claims:

updated_at | number | Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

Looks like auth0 is not storing it as a number as expected, hence the error. You can always use getClaimAsString(StandardClaimNames.UPDATED_AT) to avoid the error.

@greyfairer greyfairer mentioned this issue Nov 29, 2018
Closed
@jgrandja jgrandja mentioned this issue Dec 6, 2018
Closed
@rwinch rwinch added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.0.M1
Development

No branches or pull requests
4 participants
@rwinch @sirianni @jzheaux @jgrandja