Improvement: Log RemoteKeySourceException on higher log level instead of swallowing it silently

[catchin]

Summary

Currently, in spring-security-oauth2-resource-server / spring-security-oauth2-jose, when an exception occurs for retrieving the JWK set by nimbus library, it is silently swallowed.

Actual Behavior

Include OAuth2 resource server support according to documentation and specify spring.security.oauth2.resourceserver.jwt.jwk-set-uri to be some invalid URL. When a client tries to authenticate, no log message is logged on INFO or higher level, only on DEBUG level, but without the root cause, a com.nimbusds.jose.RemoteKeySourceException..

Expected Behavior

As retrieving the jwk-set is not a client error, I would expect it to be logged on WARN log level.

Configuration

Spring Boot with spring-security-oauth2-resource-server & spring-security-oauth2-jose dependencies.

Version

• Spring Boot 2.1.4
• Spring Security 5.1.5

Sample

https://github.com/catchin/spring-security-oauth2-resource-server-example (see test)

Ideas

I'm not sure where to log this exception. Currently, I have an EntryPoint where I check if the RemoteKeySourceException appears somewhere in the OAuth2AuthenticationException causes. But this is not general purpose I think.

[lathspell]

If I understand correctly the JwtAuthenticationProvider.authenticate() does it all correctly as it distinguishes between throwing an InvalidBearerTokenException for client errors and AuthenticationServiceException for infrastructure problems.

It's the BearerTokenAuthenticationFilter.doFilterInternal() that catches only the superclass AuthenticationException and logs it with DEBUG level. Maybe this would be a good point to catch AuthenticationServiceException first and log them with WARN level.