Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return 401 instead of 500 on use of invalid access tokens #38866

Closed
jkakavas opened this issue Feb 13, 2019 · 3 comments · Fixed by #49736
Closed

Return 401 instead of 500 on use of invalid access tokens #38866

jkakavas opened this issue Feb 13, 2019 · 3 comments · Fixed by #49736
Assignees
@jkakavas
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@jkakavas
Copy link
Member

Token Service will throw an InvalidStateException if a wrong access token is used as a Bearer token for authentication and this gets translated to a 500 error response. We should be handling this correctly and return a 401 Unauthorized instead.

Relates : elastic/kibana#22905
@jkakavas jkakavas added >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Feb 13, 2019
@jkakavas jkakavas self-assigned this Feb 13, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jkakavas jkakavas mentioned this issue Mar 21, 2019
Merged
@azasypkin azasypkin mentioned this issue Mar 21, 2019
Closed
@jkakavas jkakavas mentioned this issue Mar 27, 2019
Closed
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Aug 2, 2019
@jkakavas
Adds test for authentication with an invalid token
afc9c6f 
Ensure that we return 401 when an invalid token is presented as
the Bearer token

Relates: elastic#38866
@jkakavas jkakavas mentioned this issue Aug 2, 2019
Closed
@jkakavas
Copy link
Member Author

jkakavas commented Aug 2, 2019

This has been resolved as part of the awesome work that @albertzaharovits did on refactoring the TokenService. I added a small test to catch any regressions in #45138

@jkakavas jkakavas closed this as completed Aug 2, 2019
@jkakavas
Copy link
Member Author

jkakavas commented Aug 5, 2019

Re-opening this as it was prematurely closed. There is one case still that we throw a 500 - when the access token is valid but expired and deleted from the tokens index. This needs to be handled before we resolve this issue

@jkakavas jkakavas reopened this Aug 5, 2019
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Nov 30, 2019
@jkakavas
Always return 401 for not valid tokens
331f041 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: elastic#38866
@jkakavas jkakavas mentioned this issue Nov 30, 2019
Merged
jkakavas added a commit that referenced this issue Dec 6, 2019
@jkakavas
Always return 401 for not valid tokens (#49736)
0b9a9b4 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: #38866
@azasypkin azasypkin mentioned this issue Dec 10, 2019
Merged
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Dec 10, 2019
@jkakavas
Always return 401 for not valid tokens (elastic#49736)
9d44177 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: elastic#38866
@jkakavas jkakavas mentioned this issue Dec 10, 2019
Merged
jkakavas added a commit that referenced this issue Dec 11, 2019
@jkakavas
Always return 401 for not valid tokens (#49736) (#50042)
3b613c3 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: #38866
Backport of #49736
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this issue Jan 23, 2020
@jkakavas @SivagurunathanV
Always return 401 for not valid tokens (elastic#49736)
ab9baef 
Return a 401 in all cases when a request is submitted with an
access token that we can't consume. Before this change, we would
throw a 500 when a request came in with an access token that we
had generated but was then invalidated/expired and deleted from
the tokens index.

Resolves: elastic#38866
This was referenced Feb 3, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkakavas jkakavas

Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Always return 401 for not valid tokens jkakavas/elasticsearch
2 participants
@jkakavas @elasticmachine