Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2AccessTokenResponseBodyExtractor should support Object values #6087

Closed
hfgbarrigas opened this issue Nov 14, 2018 · 3 comments
Closed

OAuth2AccessTokenResponseBodyExtractor should support Object values #6087

hfgbarrigas opened this issue Nov 14, 2018 · 3 comments
Assignees
@rwinch
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Milestone
5.2.0.M1

Comments

@hfgbarrigas
Copy link

hfgbarrigas commented Nov 14, 2018
edited
Loading

Summary

When dealing with additional information in the token response (<String, Object>) jackson throws an exception. Looking at OAuth2AccessTokenResponseBody class to extract the OAuth2AccessTokenResponse:


@Override
public Mono<OAuth2AccessTokenResponse> extract(ReactiveHttpInputMessage inputMessage,
			Context context) {
		ParameterizedTypeReference<Map<String, String>> type = new ParameterizedTypeReference<Map<String, String>>() {};
		BodyExtractor<Mono<Map<String, String>>, ReactiveHttpInputMessage> delegate = BodyExtractors.toMono(type);
		return delegate.extract(inputMessage, context)
				.map(json -> parse(json))
				.flatMap(OAuth2AccessTokenResponseBodyExtractor::oauth2AccessTokenResponse)
				.map(OAuth2AccessTokenResponseBodyExtractor::oauth2AccessTokenResponse);
}

Looks like Map<String, String> is forced and values other than strings cannot be parsed. Down below on parse (line 66) new JSONObject() can deal with Map<String, ?>.

Actual Behavior

Exception thrown on jackson.

Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of java.lang.String out of START_ARRAY token
at [Source: UNKNOWN; line: -1, column: -1] (through reference chain: java.util.LinkedHashMap["client_authorities"])

Expected Behavior

{"access_token":"accessToken","token_type":"bearer","expires_in":6568,"scope":"all","grant_type":"client_credentials","organization":"HOLD","client_authorities":["INTERNAL"],"jti":"72ebfbf1-2686-450b-8dd1-525a704e6aa1"}

Token example shown above should be parsed correctly and OAuth2AccessTokenResponse correctly constructed.

Version

5.1.3.BUILD-SNAPSHOT

Sample

https://github.com/hfgbarrigas/oauth2client-webflux-error-sample
@hfgbarrigas hfgbarrigas mentioned this issue Nov 14, 2018
Closed
@rwinch rwinch added this to the 5.1.2 milestone Nov 14, 2018
@rwinch rwinch mentioned this issue Nov 14, 2018
Closed
@raphaelDL raphaelDL mentioned this issue Nov 14, 2018
Merged
raphaelDL added a commit to raphaelDL/spring-security that referenced this issue Nov 15, 2018
@raphaelDL
OAuth2AccessTokenResponseBodyExtractor supports Object values
4316f09 
This commit ensures the token response is parsed correctly if the values are not a String.

Fixes: spring-projectsgh-6087
@rwinch rwinch self-assigned this Nov 15, 2018
@rwinch rwinch added Reactive in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug labels Nov 15, 2018
@rwinch rwinch modified the milestones: 5.1.2, 5.2.0.M1 Nov 15, 2018
@rwinch rwinch changed the title Jackson exception when deserialising token response OAuth2AccessTokenResponseBodyExtractor supports Object values Nov 15, 2018
@rwinch rwinch changed the title OAuth2AccessTokenResponseBodyExtractor supports Object values OAuth2AccessTokenResponseBodyExtractor should support Object values Nov 15, 2018
@rwinch rwinch closed this as completed in 75a2c2b Nov 15, 2018
rwinch pushed a commit that referenced this issue Nov 15, 2018
@raphaelDL @rwinch
OAuth2AccessTokenResponseBodyExtractor supports Object values
1cec4fe 
This commit ensures the token response is parsed correctly if the values are not a String.

Fixes: gh-6087
@rwinch rwinch mentioned this issue Nov 15, 2018
Closed
@rwinch
Copy link
Member

rwinch commented Nov 15, 2018

Thanks for the report @hfgbarrigas! This is now fixed in master with a PR from @raphaelDL (thanks for the PR!). The code was also backported to 5.1.x via #6100

@hfgbarrigas
Copy link
Author

Great. Is there a snapshot to test?

@rwinch
Copy link
Member

rwinch commented Nov 16, 2018

Yes. Please see https://docs.spring.io/spring-security/site/docs/5.1.x-SNAPSHOT/reference/htmlsingle/#get-spring-security

jer051 pushed a commit to jer051/spring-security that referenced this issue Nov 21, 2018
@raphaelDL
OAuth2AccessTokenResponseBodyExtractor supports Object values
2c822de 
This commit ensures the token response is parsed correctly if the values are not a String.

Fixes: spring-projectsgh-6087
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
5.2.0.M1
Development

No branches or pull requests
2 participants
@rwinch @hfgbarrigas