Reactive OAuth2 using query parameters for access_token can cause HTTP 500s #7011
Assignees
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: backported
An issue that has been backported to maintenance branches
type: bug
A general bug
Milestone
Comments
spring-projects-issues
added
the
status: waiting-for-triage
rwinch
added a commit
to rwinch/spring-security
that referenced
this issue
Jun 19, 2019
Previously ServerBearerTokenAuthenticationConverter would throw an IllegalArgumentException when the access token in a URI was empty String. It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String access token in the headers. This changes ServerBearerTokenAuthenticationConverter to consistently throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED Fixes spring-projectsgh-7011
rwinch
added
in: oauth2
spring-projects-issues
added
status: backported
|
Thanks for the detailed report @bhavikkumar! I put together a pull request that I'll have @jzheaux review. This particular issue is scheduled for 5.2.0.RC1 but I also created a backport issue (gh-7021) to get this in 5.1.6 |
bhavikkumar
added a commit
to bhavikkumar/spring-security
that referenced
this issue
Jun 19, 2019
jzheaux
pushed a commit
that referenced
this issue
Jun 24, 2019
Previously ServerBearerTokenAuthenticationConverter would throw an IllegalArgumentException when the access token in a URI was empty String. It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String access token in the headers. This changes ServerBearerTokenAuthenticationConverter to consistently throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED Fixes gh-7011
jzheaux
pushed a commit
that referenced
this issue
Jun 28, 2019
Previously ServerBearerTokenAuthenticationConverter would throw an IllegalArgumentException when the access token in a URI was empty String. It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String access token in the headers. This changes ServerBearerTokenAuthenticationConverter to consistently throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED Fixes gh-7011
kostya05983
pushed a commit
to kostya05983/spring-security
that referenced
this issue
Aug 26, 2019
Previously ServerBearerTokenAuthenticationConverter would throw an IllegalArgumentException when the access token in a URI was empty String. It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String access token in the headers. This changes ServerBearerTokenAuthenticationConverter to consistently throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED Fixes spring-projectsgh-7011
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
When using ServerBearerTokenAuthenticationConverter with
setAllowUriQueryParameter(true)then there is a possibility that the web server will return a HTTP 500 when the query parameter is not filled in. E.g: /hello?access_token=Edit: This problem potentially also affects DefaultBearerTokenResolver
Actual Behavior
ServerBearerTokenAuthenticationConverter.convert method throws a IllegalArgumentException due to the string being passed to BearerTokenAuthenticationToken::new being empty.
Expected Behavior
The expected behaviour should be that the query parameter is validated in the ServerBearerTokenAuthenticationConverter.token method and a OAuth2AuthenticationException is thrown.
The validation should be similar/same as if the token was being provided from HTTP Header.
Version
Sample
https://github.com/bhavikkumar/reactive-spring-auth
The text was updated successfully, but these errors were encountered: