Skip to content

Resolved bearer token has no padding indicators #8502

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
santhosh-hmcts opened this issue May 8, 2020 · 2 comments
Closed

Resolved bearer token has no padding indicators #8502

santhosh-hmcts opened this issue May 8, 2020 · 2 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.4.0-RC1

Comments

@santhosh-hmcts
Copy link

santhosh-hmcts commented May 8, 2020
edited
Loading

Describe the bug
DefaultBearerTokenResolver.resolve is returning bearer token by ignoring padding indicators (=). Example of bearer token that's obtained from auth server is 'A66dXefVMHSGWBrUA5Iw='.
Due to this, auth server token validation request is failing with InvalidTokenException (as it's not able to load the resolved token (without = char) from it's database

To Reproduce
Obtain Opaque token from authserver end point /oauth/token and supply this token to resource server which has been configured with below beans that resolves bearer token and validates it with auth server

Resource server bean configuration:

@Bean
BearerTokenResolver bearerTokenResolver() {
    return new DefaultBearerTokenResolver();
}

@bean
AuthenticationProvider authProivder() {
var introspector = new new NimbusOpaqueTokenIntrospector('auth-server-check-token-endpoint', 'client-id', 'client-secret');
return new OpaqueTokenAuthenticationProvider(introspector);
}

Resource server version info:
org.springframework.security:spring-security-oauth2-resource-server:5.2.2.RELEASE

Auth server version info:
org.springframework.security.oauth:spring-security-oauth2:2.4.1.RELEASE

Expected behavior
DefaultBearerTokenResolver.resolve() should return the same token (that's been supplied in the header) after validating it
@santhosh-hmcts santhosh-hmcts added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 8, 2020
@santhosh-hmcts santhosh-hmcts mentioned this issue May 8, 2020
Closed
@santhosh-hmcts santhosh-hmcts changed the title Resolving bearer token is ignoring '=' character Resolved bearer token has no padding indicators May 8, 2020
@santhosh-hmcts santhosh-hmcts mentioned this issue May 11, 2020
Closed
@jgrandja jgrandja assigned jzheaux and unassigned jgrandja May 19, 2020
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 19, 2020
@jzheaux jzheaux added this to the 5.4.0-M2 milestone May 19, 2020
@jzheaux
Copy link
Contributor

jzheaux commented May 21, 2020
edited
Loading

@vpavic can you confirm whether or not it was intentional to leave the = signs out of the capture?

It appears that = is part of the definition:

 b64token    = 1*( ALPHA / DIGIT /
                       "-" / "." / "_" / "~" / "+" / "/" ) *"="
 credentials = "Bearer" 1*SP b64token

@vpavic
Copy link
Contributor

vpavic commented Jun 19, 2020

Sorry for the late follow-up - I don't recall any specific intent around that.

@jzheaux jzheaux modified the milestones: 5.4.0-M2, 5.4.0-RC1 Jul 1, 2020
jzheaux added a commit that referenced this issue Jul 16, 2020
@jzheaux
Polish Bearer Token Padding
d3bea02 
Issue gh-8502
jzheaux pushed a commit that referenced this issue Jul 16, 2020
@jzheaux
Bearer Token Padding
09e154d 
Closes gh-8502
jzheaux added a commit that referenced this issue Jul 16, 2020
@jzheaux
Polish Bearer Token Padding
9045636 
Issue gh-8502
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Jul 16, 2020
Closed
jzheaux pushed a commit that referenced this issue Jul 16, 2020
@jzheaux
Bearer Token Padding
6519029 
Closes gh-8502
jzheaux added a commit that referenced this issue Jul 16, 2020
@jzheaux
Polish Bearer Token Padding
9d8920f 
Issue gh-8502
Closed
jzheaux pushed a commit that referenced this issue Jul 16, 2020
@jzheaux
Bearer Token Padding
157498b 
Closes gh-8502
jzheaux added a commit that referenced this issue Jul 16, 2020
@jzheaux
Polish Bearer Token Padding
7e7f85c 
Issue gh-8502
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.4.0-RC1
Development

No branches or pull requests
5 participants
@vpavic @jzheaux @santhosh-hmcts @jgrandja @spring-projects-issues