Skip to content

Misleading manifestation of error condition #9395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kabennett opened this issue Feb 1, 2021 · 2 comments
Closed

Misleading manifestation of error condition #9395

kabennett opened this issue Feb 1, 2021 · 2 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.5.0-M2

Comments

@kabennett
Copy link

Expected Behavior

I would expect a 5xx series HTTP response after encountering the stack trace below.

Current Behavior

Instead, the stack trace below manifests itself as a 401 HTTP response.

Context
pom.xml

<dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
      <version>2.3.8.RELEASE</version>
</dependency>

stack trace snippet

DEBUG | org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter | Authentication request for failed!
org.springframework.security.authentication.AuthenticationServiceException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://identity.acme.com/auth/realms/acme-app/protocol/openid-connect/certs": No subject alternative DNS name matching identity.acme.com found.; nested exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching identity.acme.com found.
at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:88)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
at org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter.doFilterInternal(BearerTokenAuthenticationFilter.java:124)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)

In this case, our Resource Server encounters a problem connecting to the Authorization Server, so from the perspective of the Resource Server trying to connect to the Authorization Server, I would expect this condition to result in a 5xx HTTP status to indicate to the client who sent the JWT to the Resource Server that there is a problem on the server side and not with the JWT itself.
@kabennett kabennett added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Feb 1, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Feb 2, 2021

Thanks for the report, @kabennett.

Spring Security's authentication filters handle all authentication failures the same by default. You can change this behavior for Resource Server by registering a custom authentication entry point, which you can base off of the defaults like so:

@Bean 
AuthenticationEntryPoint entryPoint() {
    AuthenticationEntryPoint bearer = new BearerTokenAuthenticationEntryPoint();
    return (request, response, exception) -> {
        if (exception instanceof AuthenticationServiceException) {
            throw exception;
        }
        bearer.commence(request, response, exception);
    };
}

// ...

http
    .oauth2ResourceServer((oauth2) -> oauth2
        .authenticationEntryPoint(entryPoint)
    );

This works because Resource Server throws an InvalidBearerTokenException when it's the client's fault and AuthenticationServiceException when it's the server's fault.

@jzheaux jzheaux closed this as completed Feb 2, 2021
@jzheaux jzheaux added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged status: declined A suggestion or change that we don't feel we should currently apply labels Feb 2, 2021
@jzheaux jzheaux reopened this Feb 2, 2021
@jzheaux jzheaux added in: core An issue in spring-security-core in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed in: core An issue in spring-security-core labels Feb 10, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Feb 10, 2021

Thanks again for reporting this, @kabennett. I've added #9429 as a related ticket.

@jzheaux jzheaux added this to the 5.5.0-M2 milestone Feb 10, 2021
@nenaraab nenaraab mentioned this issue Jun 15, 2021
Merged
@jzheaux jzheaux mentioned this issue Feb 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M2
Development

No branches or pull requests
2 participants
@jzheaux @kabennett