Skip to content

gh-8589 Additional Jwt validation debug messages #8665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

gh-8589 Additional Jwt validation debug messages #8665

wants to merge 7 commits into from

Conversation

Budlee
Copy link
Contributor

@Budlee Budlee commented Jun 8, 2020

Adding extra logging for JWT Validation
#8589

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 8, 2020
jzheaux
jzheaux reviewed Jun 9, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @Budlee! Before I review, can you tell me what this PR gives you that printing the stack trace in AuthenticationWebFilter would not give you? The reason I ask is that logging the stack trace is something that I'm thinking about adding.

@Budlee
Copy link
Contributor Author

Budlee commented Jun 10, 2020
edited
Loading

Hey @jzheaux, I think that would be good to have as well.
The stack trace for reactive would be horriblly long is my only thought. But as a trace maybe a good idea.

The other thing is in this specific case is that I have logging for each JWT Validator that fails. This is quite nice in the log.

Maybe it should change but the current validate gets the first validation fail even if there is many. So if we had the stach trace you would only see the first error of the token
org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder#validateJwt

if ( result.hasErrors() ) {
			String message = result.getErrors().iterator().next().getDescription();
			throw new JwtValidationException(message, result.getErrors());
		}

This seems silly as the DelegatedOauth collects all
org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator#validate

for (OAuth2TokenValidator<T> validator : this.tokenValidators) {
			errors.addAll(validator.validate(token).getErrors());
		}

Also I think this result.getErrors().iterator().next().getDescription(); is an NPE waiting to happen

@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 16, 2020
jzheaux
jzheaux requested changes Jun 16, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @Budlee! I've left some feedback inline.

@jzheaux jzheaux added this to the 5.4.0-M2 milestone Jun 16, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jun 16, 2020
edited
Loading

That's great feedback, @Budlee. I'll try and address a couple of your comments:

This seems silly as the DelegatedOauth collects all org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator#validate

What would you supply as the message for the exception if not the first validation error message?

Also I think this result.getErrors().iterator().next().getDescription(); is an NPE waiting to happen

I agree that this could be polished.

The OAuth2TokenValidatorResult constructor disallows null or empty lists, but it doesn't check if Collection<OAuth2Error> contains null elements. It might be good to add that assertion. Would you like to add a ticket to clean that up?

@Budlee
Copy link
Contributor Author

Budlee commented Jun 20, 2020

@jzheaux,
I've resolved the issues that you had and i've add the tidy up for that potential NPE.

As the validators are now all logging it does make sense for just the first error to go back

Please let me know if you want any more changes

@Budlee Budlee requested a review from jzheaux June 20, 2020 13:12
jzheaux
jzheaux requested changes Jun 23, 2020
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @Budlee! I've left a bit more feedback.

@Budlee Budlee requested a review from jzheaux June 29, 2020 21:30
@Budlee
Copy link
Contributor Author

Budlee commented Jun 29, 2020

@jzheaux i've updates

@jzheaux jzheaux modified the milestones: 5.4.0-M2, 5.4.0-RC1 Jul 1, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jul 8, 2020

Thanks for the updates, @Budlee!

It looks like the build is failing. Will you try rebasing, and double-check by running ./gradlew check? If there are any checkstyle errors, please fix them.

Then, at that point in preparation for merging, would you please squash your commits and format the commit message.

@jzheaux
Copy link
Contributor

jzheaux commented Jul 30, 2020

Thanks, @Budlee! This is now merged into master via b272805 and 90e5f45.

Note that I separated your two contributions into two separate commits for easier backporting. First, the additional logging and second the NPE polish.

@jzheaux jzheaux closed this Jul 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-RC1
Development

Successfully merging this pull request may close these issues.
3 participants
@Budlee @jzheaux @spring-projects-issues