FR: relax JSON parsing of TokenResponse (and JsonWebToken)

[wonderfly]

From michel.j...@e-office.com on November 28, 2012 00:30:25

Version of google-oauth-java-client (e.g. 1.5.0-beta)?
1.12.0

Java environment (e.g. Java 6, Android 2.3, App Engine)?
AppEngine 1.7.3

Describe the problem.
When consuming Microsoft Office365 OAuth services, the accessToken that is retrieved through:

AuthorizationCodeTokenRequest . execute() as per the sample, I get the error:
number field formatted as a JSON string must use the @JsonString annotation How would you expect it to be fixed? In the JSONParser.java (from com.google.api.client.json)
I commented out the Preconditions check, and now I have an accesstoken. And also the expires in has a value...

--------- start here -------

  case VALUE_STRING:

//        Preconditions.checkArgument(valueClass == null || !Number.class.isAssignableFrom(valueClass)
//            || fieldContext != null && fieldContext.getAnnotation(JsonString.class) != null,
//            "number field formatted as a JSON string must use the @JsonString annotation%s",
//            contextString);
        // TODO(yanivi): "special" values like Double.POSITIVE_INFINITY?
        try {
          return Data.parsePrimitiveValue(valueType, getText());
        } catch (IllegalArgumentException e) {
          throw new IllegalArgumentException(contextString, e);
        }

Original issue: http://code.google.com/p/google-oauth-java-client/issues/detail?id=62

[wonderfly]

From yan...@google.com on December 15, 2012 10:13:03

By design: it means that the value of the "expires_in" in the JSON response is formatted as a JSON string in the response from the server. This does not comply with the OAuth 2.0 specification: http://tools.ietf.org/html/rfc6749#appendix-A.14 Quote:
expires-in = 1*DIGIT

A bug needs to be filed against Microsoft Office 365 OAuth services.

That said, we might consider being more permissive here.

Status: Accepted

[wonderfly]

From yan...@google.com on January 24, 2013 06:32:44

Labels: Component-OAuth2

[wonderfly]

From billbl...@gmail.com on May 12, 2014 11:44:49

This issue still occurs with OAuth for MS Dynamics and google-oauth-java-client version 1.17.0.

Here is a simpler workaround, which requires only changing the google-oauth-java-client.jar library instead of the underlying google-http-client.jar library, as the previous workaround does.

Make the following two changes to TokenResponse.java

1. Comment out the @key annation for expiresInSeconds:

// @key("expires_in")
private Long expiresInSeconds;

2. Modify the set() method to manually set the expiresInSeconds field:

  public TokenResponse set(String fieldName, Object value) {
    if (fieldName.equals("expires_in")) {
        if (value instanceof String) {
            try {
                expiresInSeconds = Long.parseLong((String) value);
            } catch (NumberFormatException e) {
                throw new IllegalArgumentException("Value of expires_in is not a number: " + value);
            }
        } else if (value instanceof Number) {
            expiresInSeconds = Long.valueOf(((Number) value).longValue());
        } else {
            throw new IllegalArgumentException("Unknown value type for expires_in: " + value.getClass().getName());
        }
    }

    return (TokenResponse) super.set(fieldName, value);
  }

[lnikkila]

I’ve been told that this occurs with Dell’s Cloud Access Manager as well, but with the “issued at” timestamp:

Caused by: java.lang.IllegalArgumentException: key iat, field private java.lang.Long com.google.api.client.json.webtoken.JsonWebToken$Payload.issuedAtTimeSeconds
            at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:880)
            at com.google.api.client.json.JsonParser.parse(JsonParser.java:471)
            at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:780)
            at com.google.api.client.json.JsonParser.parse(JsonParser.java:381)
            at com.google.api.client.json.JsonParser.parse(JsonParser.java:335)
            at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:165)
            at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:147)
            at com.google.api.client.json.JsonFactory.fromInputStream(JsonFactory.java:206)
            at com.google.api.client.json.webtoken.JsonWebSignature$Parser.parse(JsonWebSignature.java:476)
            at com.google.api.client.auth.openidconnect.IdToken.parse(IdToken.java:141)
            [snip]
Caused by: java.lang.IllegalArgumentException: number field formatted as a JSON string must use the @JsonString annotation
            at com.google.api.client.repackaged.com.google.common.base.Preconditions.checkArgument(Preconditions.java:92)
            at com.google.api.client.util.Preconditions.checkArgument(Preconditions.java:49)
            at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:845)
            at com.google.api.client.json.JsonParser.parse(JsonParser.java:471)
            at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:780)
            at com.google.api.client.json.JsonParser.parse(JsonParser.java:381)
            at com.google.api.client.json.JsonParser.parse(JsonParser.java:335)
            at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:165)
            at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:147)
            at com.google.api.client.json.JsonFactory.fromInputStream(JsonFactory.java:206)
            at com.google.api.client.json.webtoken.JsonWebSignature$Parser.parse(JsonWebSignature.java:476)
            at com.google.api.client.auth.openidconnect.IdToken.parse(IdToken.java:141)
            [snip]

[dherben]

I'm having the same problem (with the expires_in formatted as a string) when authorizing against the ExactOnline accounting API.

I had managed to work around the problem for the initial token request by creating my own ExactOnlineResponseToken class (which maps the expires_in to a String) and executing the tokenRequest as such:

flow().newTokenRequest(authCode)
    .setRedirectUri(uri)
    .executeUnparsed()
    .parseAs(ExactOnlineTokenResponse.class)
    .toTokenResponse()

I feel this is better than having to tinker with the libraries themselves. Unfortunately, I still get the error when the Credential automatically tries to refresh the token, because that code is hardcoded in the Credential and I can't access it.

Any plans on making the library more permissive in the near future? I guess I could perform my own checks before each request, proactively refreshing the token when necessary, although that feels hackish.

[Kah0ona]

@dherben I'm with you - this should be more permissive. There are so many services out there that are just a little bit wrongly implemented...

I am also dealing with Exact Online at the moment. I for now went with the approach of @wonderfly, since I stopped reading there, and only after that found out about your post :-)

The unfortunate thing is that one only finds out about a bad upstream implementations when a complete integration of the google oauth workflow is already integrated in the application...

Although technically ExactOnline should fix its implementation but it's so annoying to be dependent on companies to fix their proprietary shit 👎

So bottom line: a bit more permissiveness for all the non-string fields in the responses where a little instanceof check is put in place would help a lot of us out.

[PhoneixS]

I have also problems with office, and as a workaround I have changed the library like the code bellow. This is a workaround and in my opinion shouldn't be merged in the library. However the library must have more versatility and let you use a custom TokenResponse class like Apache OAuth library.

Workaround in TokenResponse.java:

  /**
   * Lifetime in seconds of the access token (for example 3600 for an hour) or {@code null} for
   * none.
   */
  @Key("expires_in")
  private Object expiresInSeconds;

  /**
   * Returns the lifetime in seconds of the access token (for example 3600 for an hour) or
   * {@code null} for none.
   */
  public final Long getExpiresInSeconds() {
    if (expiresInSeconds instanceof Long) {
      return (Long)expiresInSeconds;
    }else if (expiresInSeconds instanceof Number) {
      expiresInSeconds = ((Number)expiresInSeconds).longValue();
      return (Long)expiresInSeconds;
    } else if (expiresInSeconds instanceof String) {
      expiresInSeconds = Long.parseLong((String)expiresInSeconds);
      return (Long)expiresInSeconds;
    }

    return null;
  }