-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Getting "HTTP 400 Bad Request" instead of "HTTP 401 Unauthorized" for incorrect user credentials #1906
Comments
I am unable to produce this with a servlet environment or a WebFlux environment. Can you provide more details on how to reproduce? |
I observed the same issue with In the
However, the rfc2616 says
Also, according to rfc2617
|
I got the same issue. Debugged for a while till I found out it's caused by Spring. Don't get it why they put 400 here. @rwinch please remove the waiting-for-feedback tag as @kmatusiewicz already responses to you. |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Feedback: It even says it in the code "// If the username/password are wrong the spec says we should send 400/invalid grant" Seriously? there is the information already provided and we didn't get a response. The issuemaster just sucks. Could anyone please look at the issue? See the code part provided by kmatusiewicz... |
Sorry for the noise, @judos, let's see if I can help clear it up. Without more information from @silentsnooc, I don't think we can address the reported issue, which is why the ticket was still waiting for feedback from the reporter. The specific behavior you and @kmatusiewicz described is one of many ways that an application could receive a 400 instead of a 401, so it didn't provide the information needed to address the reporter's issue. That said, I can understand your frustration in not getting a response to your question. The OAuth 2.0 RFC states that the
I think it's also important to remember that RFC 2616 and 2617 relate to credentials specified in the I'm going to replace the |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue. |
@jzheaux Hi! Sorry for the late response but I am using a new account nowadays. I am using Spring Boot 2.3.4.RELEASE in my config: <properties>
<spring.boot.version>2.3.4.RELEASE</spring.boot.version>
<springdoc.version>1.2.25</springdoc.version>
</properties> and <dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
<version>1.0.9.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.2.RELEASE</version>
</dependency> Presenting a wrong password will produce the following log:
and the following JSON-response: {
"error" : "invalid_grant",
"error_description" : "Bad credentials"
} Which is fine but the HTTP code is 400 instead of 401: I am not sure if that should be the case. I expected it to be a HTTP 401 Unauthorized instead. It's probably just a minor issue - if at all. hth |
Same issue here. Also I am not able to handle How to handle this exception manually and provide proper response to user? |
Thanks, @falk-stefan, for the update. The extra detail you've added confirms that this is related to |
@jigneshkhatri Yeah, I've been there as well. I don't have a solution for you but you might want to take a look at the @Component
public class AuthFailureHandler implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
System.out.println("Hello");
// FIXME We need to return HTTP 401 (s.t. the client knows what's going on) but for some reason it's not working as intended!
throw authException;
}
}
@Bean
public AuthenticationEntryPoint customAuthEntryPoint(){
return new AuthFailureHandler();
} |
@falk-stefan thanks for responding. I have tried that solution before, but execution does not reach there, and it throws 400 error. As per my understanding this solution only works with basic login based spring security right? Here I have implemented OAuth2 Spring Security. |
@jigneshkhatri Ah. Yeah, I think that was the problem.. the code was never really reached and I never revisited it. I never found out why this code is not getting executed to be honest. |
This is tricky. First of all, this is NOT to access a protected resource (like "/user/abc"), which is handled by ExceptionTranslationFilter and its configured authenticationEntryPoint (like OAuth2AuthenticationEntryPoint). For this situation you may need to check the exceptionTranslator of the authenticationEntryPoint (default to DefaultWebResponseExceptionTranslator). Our situation here is about the oauth2 authorization server and its token endpoints (framework endpoints). So you may need to check the exceptionTranslator of AuthorizationServerEndpointsConfigurer, which can be configured by using The interesting is the spec mentianed above by @jzheaux (https://datatracker.ietf.org/doc/html/rfc6749#section-5.2), it said However, when username/password does not match, spring DaoAuthenticationProvider throws BadCredentialsException, which is converted to Then the InvalidGrantException is translated to 400 by the |
I noticed that Spring security returns HTTP 400 instead of HTTP 401 for a user who gives a wrong password. From what I was reading online it would seem that HTTP 401 is more appropriate than just HTTP 400.
The text was updated successfully, but these errors were encountered: