Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix JwtClaimValidator error type #10500

Merged
merged 1 commit into from
Nov 29, 2021
Merged

Fix JwtClaimValidator error type #10500

merged 1 commit into from
Nov 29, 2021

Conversation

jason076
Copy link
Contributor

Previously JWTValidator could return any OAuth2Error like invalid_request. But validators were only allowed
to return invalid_token errors. Therefore Validators are now enforced to return invalid_token errors
by introducing the OAuth2InvalidTokenError class.

Closes gh-10337

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 12, 2021
@jason076 jason076 mentioned this pull request Nov 12, 2021
Closed
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 16, 2021
@jzheaux jzheaux added this to the 6.0.0-M1 milestone Nov 16, 2021
jzheaux
jzheaux requested changes Nov 17, 2021
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @jason076! I've left my feedback inline.

Additionally, please double-check that you have run ./gradlew format check. It appears that the build is failing on some checkstyle requirements.

...th2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2InvalidTokenError.java Outdated Show resolved Hide resolved
...ava/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java Outdated Show resolved Hide resolved
@jason076 jason076 changed the title Force JWTValidators to only return invalid_token Fix JwtClaimValidator error type Nov 22, 2021
@jason076
Fix JwtClaimValidator wrong error code
37cdb31 
Previously JwtClaimValidator returned the invalid_request error on claim validation failure.
But validators have to return invalid_token errors on failure according to:
https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.
Also see gh-10337

Closes gh-10337
@jason076
Copy link
Contributor Author

Can you trigger the pipeline again please? I have fixed the style issues.

@jzheaux jzheaux merged commit 82426e2 into spring-projects:main Nov 29, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Nov 29, 2021

Thanks, @jason076! This is now merged into main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux approved these changes

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
6.0.0-M1
Development

Successfully merging this pull request may close these issues.

Invalid_request failures in JwtTokenValidators are always turned into invalid_token errors
3 participants
@jason076 @jzheaux @spring-projects-issues