Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error description by BearerTokenAccessDeniedHandler is misleading #7089

Closed
edouardhue opened this issue Jul 9, 2019 · 4 comments
Closed

Error description by BearerTokenAccessDeniedHandler is misleading #7089

edouardhue opened this issue Jul 9, 2019 · 4 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0.M4

Comments

@edouardhue
Copy link
Contributor

Summary

The error description for the insufficient_scope case in BearerTokenAccessDeniedHandler assumes that the denial is caused by an insufficient scope, while it could have many other causes. It is misleading and should be reworded.

Actual Behavior

The error description in org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler for error code insufficient_scope states that "The token provided has insufficient scope [%s] for this request".

Expected Behavior

RFC 6750 describes this error code with :

     The request requires higher privileges than provided by the
     access token.  The resource server SHOULD respond with the HTTP
     403 (Forbidden) status code and MAY include the "scope"
     attribute with the scope necessary to access the protected
     resource.

An implementation could grant other authorities based on other claims from the token, or from any other source. Access could be denied because of insufficient role, origin... or any other insufficient privilege. Thus, the error description should not assume that the scope is always insufficient.

It could be reworded as : "The token provided has insufficient privileges for this request". This would fix #6280 by the way.

Configuration

Not applicable.

Version

spring-security-oauth2-resource-server-5.1.5.RELEASE
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 9, 2019
@jzheaux
Copy link
Contributor

jzheaux commented Jul 10, 2019

@edouardhue, I think this makes sense.

Since the RFC says "The request requires higher privileges than provided by the access token.", I think an error message of "The token provided has insufficient privileges for this request" would be more accurate.

The existing message is also a potential source of confusion since the spec allows for missing scopes to be included in the error message whereas the existing message includes provided scopes.

Could you provide a PR for the change, both on the reactive and servlet bearer token denial handlers?

@edouardhue
Copy link
Contributor Author

Sure, gimme a few days!

@edouardhue
Copy link
Contributor Author

edouardhue commented Jul 10, 2019
edited
Loading

@jzheaux Reading again https://tools.ietf.org/html/rfc6750#section-3, I think the scope attribute that is added if a scope is found in the token should be removed too. According to rfc6750, the scope should be indicating:

the required scope of the access token for accessing the requested resource

Instead, it lists the scopes extracted from the token.

Plus, at section 3.1, the rfc states that in the case of insufficient_scope error:

the resource server […] MAY include the "scope" attribute with the scope necessary to access the protected resource.

It is then misleading to respond with the scopes from the token, as an user would understand that its token actually has all the required scopes.

I suggest totally removing the scope attribute as it is optional and its proper value would be hard to compute.

@edouardhue edouardhue mentioned this issue Jul 11, 2019
Merged
@edouardhue
Copy link
Contributor Author

@jzheaux I just submitted #7096.

@jzheaux jzheaux self-assigned this Jul 12, 2019
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 12, 2019
@jzheaux jzheaux added this to the 5.2.0.RC1 milestone Jul 12, 2019
edouardhue added a commit to edouardhue/spring-security that referenced this issue Jul 12, 2019
@edouardhue
Fixed misleading OAuth2 error messages
c8e0ab8 
Error messages sent by BearerTokenAccessDeniedHandler included
information about the scopes of the rejected token instead of
the scopes required by the resource.
* Removal of token scopes from error_description attribute.
* Removal of scope attribute from WWW-Authenticate response header.

Fixes spring-projectsgh-7089
kostya05983 pushed a commit to kostya05983/spring-security that referenced this issue Aug 26, 2019
@edouardhue @kostya05983
Fixed misleading OAuth2 error messages
2d61153 
Error messages sent by BearerTokenAccessDeniedHandler included
information about the scopes of the rejected token instead of
the scopes required by the resource.
* Removal of token scopes from error_description attribute.
* Removal of scope attribute from WWW-Authenticate response header.

Fixes spring-projectsgh-7089
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M4
Development

No branches or pull requests
3 participants
@jzheaux @edouardhue @spring-projects-issues