Skip to content

WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST #6911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aaronjwhiteside opened this issue May 28, 2019 · 1 comment
Closed

WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST #6911

aaronjwhiteside opened this issue May 28, 2019 · 1 comment
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.2.0.M3

Comments

@aaronjwhiteside
Copy link

Summary

WebClientReactiveClientCredentialsTokenResponseClient always sets an Authorization header for basic auth even if the ClientAuthenticationMethod is POST.

Actual Behavior

ClientRegistration.withRegistrationId("xxxx)
     .clientAuthenticationMethod(ClientAuthenticationMethod.POST)
     // etc...

Results in a request being made to the tokenUri with Basic XXXX in the Authorization header.

Expected Behavior

There should be no Authorization header set at all, the client id and client secret should only be in the POST body.

Version

5.1.5.RELEASE

Looking at the code in WebClientReactiveClientCredentialsTokenResponseClient, it's obviously what the cause is:

	private Consumer<HttpHeaders> headers(ClientRegistration clientRegistration) {
		return headers -> {
			headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
			headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
			if (ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
				headers.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
			}
		};
	}

Looks like someone forgot to remove the first call to headers.setBasicAuth() when adding the check for ClientAuthenticationMethod == BASIC...
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 28, 2019
@aaronjwhiteside aaronjwhiteside changed the title WebClientReactiveClientCredentialsTokenResponseClient always sets an Authorization header for basic auth even if the ClientAuthenticationMethod is POST. WebClientReactiveClientCredentialsTokenResponseClient always sets an Authorization header even if the ClientAuthenticationMethod is POST May 28, 2019
@jgrandja jgrandja changed the title WebClientReactiveClientCredentialsTokenResponseClient always sets an Authorization header even if the ClientAuthenticationMethod is POST WebClientReactiveClientCredentialsTokenResponseClient should not set Authorization header when ClientAuthenticationMethod.POST May 31, 2019
@jgrandja jgrandja self-assigned this May 31, 2019
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels May 31, 2019
@jgrandja jgrandja added this to the 5.2.0.M3 milestone May 31, 2019
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.1.x labels May 31, 2019
Closed
@jgrandja
Copy link
Contributor

Thanks for the report @aaronjwhiteside. The fix has been applied and pushed to master.

jgrandja added a commit that referenced this issue May 31, 2019
@jgrandja
client_credentials client should not set Authorization header when Cl…
163445a 
…ientAuthenticationMethod.POST

Fixes gh-6911
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.2.0.M3
Development

No branches or pull requests
3 participants
@aaronjwhiteside @jgrandja @spring-projects-issues