Skip to content

Support JwtValidationException on JwtReactiveAuthenticationManager #6823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
botcoder opened this issue Apr 29, 2019 · 1 comment
Closed

Support JwtValidationException on JwtReactiveAuthenticationManager #6823

botcoder opened this issue Apr 29, 2019 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0.M3

Comments

@botcoder
Copy link

Summary

JwtReactiveAuthenticationManager returns a BearerTokenError, regardless of the OAuth2Error returned by a JwtValidationException.

Actual Behavior

private OAuth2AuthenticationException onError(JwtException e) {
	OAuth2Error invalidRequest = invalidToken(e.getMessage());
	return new OAuth2AuthenticationException(invalidRequest, e.getMessage());
}

Expected Behavior

line 78:
OAuth2Error invalidRequest = e instanceof JwtValidationException ? ((JwtValidationException) e).getErrors().iterator().next() : invalidToken(e.getMessage());

Configuration

Using @EnableWebFluxSecurity and the default ReactiveAuthenticationManager (see sample for details)

Version

spring-security-oauth2-resource-server-5.1.5.RELEASE

Sample

Any application using oauth2resourceserver-webflux default configuration, when receiving an expired JWT, will return a generic BearerTokenError as defined on JwtReactiveAuthenticationManager.
@jzheaux jzheaux self-assigned this Apr 30, 2019
@jzheaux jzheaux added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Apr 30, 2019
@jzheaux
Copy link
Contributor

jzheaux commented May 1, 2019

@botcoder Good analysis, I agree that this should be improved.

Since there is nothing in the specification that indicates how to handle multiple error messages, and we don't want to lose the other errors if there are multiple, we'd probably want to instead make sure the entire JwtException gets propagated, like it does on the servlet side:

OAuth2Error invalidToken = invalidToken(e.getMessage());
throw new OAuth2AuthenticationException(invalidToken, invalidToken.getDescription(), e);

This way, you can still get access to all the errors when you need them:

http
    .oauth2ResourceServer()
        .authenticationEntryPoint((exchange, ex) -> {
            if (ex.getCause() instanceof JwtValidationException) {
                // render all the errors
            }
        });

Would you be interested in submitting a PR that updates JwtReactiveAuthenticationManager to propagate the entire exception and not just its message?

@jzheaux jzheaux added the type: enhancement A general enhancement label May 1, 2019
@jzheaux jzheaux added this to the 5.2.0.M3 milestone May 7, 2019
@jzheaux jzheaux closed this as completed in 047bd16 May 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M3
Development

No branches or pull requests
2 participants
@jzheaux @botcoder