Conditionally resolve bearer token from request parameters #10340
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spring-projects-issues
added
the
status: waiting-for-triage
sjohnr
added
in: oauth2
sjohnr
suggested changes
Oct 5, 2021
There was a problem hiding this comment.
Greetings, @pneuschwander! Great start to this PR, thanks for working on it!
I was thinking I wouldn't have too many comments, but because of the number of tests (wonderful problem to have), I found a few extra things for you to think about. Sorry about the flood of comments! (It's not an indication that there's anything wrong.) See below comments inline, including a fairly lengthy discussion on a suggestion I have.
Lastly, would you mind adding // gh-10326 above each new unit test that is added in this PR?
Thanks!
...g/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
Outdated
Show resolved
Hide resolved
...g/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
Outdated
Show resolved
Hide resolved
...java/org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolver.java
Show resolved
Hide resolved
...g/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
Outdated
Show resolved
Hide resolved
.../org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests.java
Outdated
Show resolved
Hide resolved
...org/springframework/security/oauth2/server/resource/web/DefaultBearerTokenResolverTests.java
Outdated
Show resolved
Hide resolved
...ecurity/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
Outdated
Show resolved
Hide resolved
...ecurity/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
Outdated
Show resolved
Hide resolved
...ecurity/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
Outdated
Show resolved
Hide resolved
...ecurity/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverterTests.java
Outdated
Show resolved
Hide resolved
pneuschwander
force-pushed
the
gh-10326
branch
from
7a8cfb3 to
29aaa1d
Compare
|
@sjohnr Thank you for your feedback. I modified the PR accordingly. Could you please review the changes and let me know whether there is more that should be done before we can merge? 🙂 |
sjohnr
reviewed
Oct 11, 2021
There was a problem hiding this comment.
Thanks for the changes, @pneuschwander. I have one additional comment below for discussion.
...ork/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java
Outdated
Show resolved
Hide resolved
pneuschwander
force-pushed
the
gh-10326
branch
from
29aaa1d to
8b97353
Compare
Before this commit, the DefaultBearerTokenResolver unconditionally resolved the request parameters to check whether multiple tokens are present in the request and reject those requests as invalid. This commit changes this behaviour to resolve the request parameters only if parameter token is supported for the specific request according to spec (RFC 6750). Closes spring-projectsgh-10326
pneuschwander
force-pushed
the
gh-10326
branch
from
8b97353 to
156f71f
Compare
sjohnr
added
the
type: breaks-passivity
sjohnr
approved these changes
Oct 13, 2021
|
Thanks @pneuschwander, this is now in main. Also, congrats on your first contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this pull request changes
Before this commit, the
DefaultBearerTokenResolverunconditionallyresolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.
This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).
Why this change is proposed
gh-10326 describes the impact of resolving the request parameters for large requests.
Resolving the request parameters conditionally as proposed by this pull request should solve the issue.
Notes
As this is my first contribution, please double check and feel free to provide feedback.
Closes gh-10326