New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2ClientAuthenticationToken should not be persisted across requests #482
Comments
Thanks for the report, @mbarringer. I was able to reproduce this with the existing sample, and created a reproducible collection in postman. I don't yet have a reason for the issue, so more research is needed. I feel this is an issue we will need to solve because it seems like it could happen in a public client like a single page application from the browser, which would conceivably be reusing cookies on every request as your test does. |
I ran into the same issue. I found that there's some difference on the The fresh request will persist attibures with |
It seems that the |
Thanks @edwardzjl. I believe that is likely the explanation for what's going on. Ultimately, there may be something we need to check to ensure consistency between requests, but I think it's reasonable for now to add the |
Hi folks. Using @sjohnr's
edit: I'm using
Is this something you want more info on in a separate issue @sjohnr - if it's something the core team believes would be useful to be able to serialize, am happy to contribute that mixin. |
Thanks for the feedback. I opened #507 with code working in my project, but it may contain unnecessary mixins which the core team don't want. Once I have your guidance I'll improve the code and get this done. Thanks! |
When can it be updated to the release version? I look forward to it |
Hi @colin-riddell. Since that is not something that's happening out of the box (e.g. in the existing sample), probably not at this time. However, it may be required in the future. As a current example, when using the UserInfo endpoint you need to enable
Awesome. Thanks for the heads up! I will review it as soon as I can and get back to you with that feedback. |
@mbarringer I was not able to reproduce the issue based on your detailed steps. Each time I clicked "Start Over", I was able obtain a token each time. I really don't see how Line 422 in 8defe2e
The
Can you also provide more detail on your flow and how |
@mbarringer @edwardzjl I'll get back to you after I find a fix. |
add Annotation com.fasterxml.jackson.databind.annotation.JsonSerialize |
@mbarringer @edwardzjl @colin-riddell This issue is related to a bug in Spring Security. See spring-security#9993. There is a fix in place and will be released in 5.7.0 GA, which is a way out. FYI, the Since Spring Security 5.7.0 GA is a way out, I've applied a temporary fix via d0e1107 |
Thanks @jgrandja. Does this mean that the If so, would a valid work-around in the mean time be to drop that from the attributes map? |
Correct.
Not sure I understand? If you have a persisted With the current fix merged, all new flows will persist in the correct state. |
I believe what @colin-riddell is referring to (since we discussed this together offline) is a custom scenario using a different authentication mechanism other than form login, for example using JWT authentication. In this case, it seems possible that Our mixin inherits from Spring Security the ability to persist a Hope that helps. |
Hi @jgrandja and @sjohnr apologies for dragging this up again but I just need to clarify what should happen here as I'm not 100% on what the outcome was. Should the If it doesn't need to be persisted I'll need to have a the deserializer I've written just ignore it for now, presumably, until it's fixed elsewhere and is no longer being incorrectly included as that attribute? Or should I be checking for the transient flag as part of my custom serialization? Thanks |
hey @jgrandja - my question wasn't so much "how do we work around this issue?" as we've established that the My question was more "Does it NEED to be?". Reason I'm asking is because I sensed some uncertainty between what you said in an earlier post and what @sjohnr said. you said..
In other words by persisting the |
@colin-riddell - You're good to go with the way you've done it. This thread was actually specific to |
@sjohnr I just encoutered the issue when deserializing
The issue comes from OAuth2RefreshTokenAuthenticationProvider where we have to provide authorization's attribute.
The serialization seems to work but not the deserialization. |
We don't yet have a guide specific to this, and I'm not sure we will at this point.
Yes. |
@akuma8 I am also faced exact same issue when I am implementing custom grant type. Access token and refresh token return by custom grant type. But cannot get new access token from refresh token. Then I try to implement custom mixin. But I couldn't. Did you solve your problem ? |
I found a solution for that issue. Issue is saved
Is this accepted solution. |
Describe the bug
Sometimes the server returns a 500 error with the message:
To Reproduce
I encountered the bug while testing a resource server in conjunction with a new Spring Authorization Server's authorization code flow. The API tool I use automatically does the OAuth2 authentication, using the same session cookie from last time when it gets a new token, and that then stops working due to the 500 error. This is a contrived example, but it does trigger the bug reliably:
Modify the sample authorization server, adding
.redirectUri("https://oidcdebugger.com/debug")
to theRegisteredClient
and then run the server.Open a browser, go to https://oidcdebugger.com/debug, open the network tab of the browser inspector.
Fill the form in, log-in, and get an authorization code.
Look in the browser inspector to get the JSESSIONID cookie from
/oauth2/authorize
.I'm not sure how quickly the next steps need to be done, but now POST directly to the
/oauth2/token
endpoint. Run curl or your preferred API client:A token should be correctly returned.
Click "Start Over" in the browser, which will hopefully cause the browser to send the same JSESSIONID with the new call to
/oauth2/authorize
, and get the new authorization code. Try the POST again with the new code and the same JSESSIONID. It should return a 500 error, and in the logs will be the exception.Expected behavior
I expected to get a new token, and if not, an error message rather than an exception.
The text was updated successfully, but these errors were encountered: