-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Closed
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancementA general enhancement
Milestone
Description
Summary
JwtReactiveAuthenticationManager returns a BearerTokenError, regardless of the OAuth2Error returned by a JwtValidationException.
Actual Behavior
private OAuth2AuthenticationException onError(JwtException e) {
OAuth2Error invalidRequest = invalidToken(e.getMessage());
return new OAuth2AuthenticationException(invalidRequest, e.getMessage());
}
Expected Behavior
line 78:
OAuth2Error invalidRequest = e instanceof JwtValidationException ? ((JwtValidationException) e).getErrors().iterator().next() : invalidToken(e.getMessage());
Configuration
Using @EnableWebFluxSecurity and the default ReactiveAuthenticationManager (see sample for details)
Version
spring-security-oauth2-resource-server-5.1.5.RELEASE
Sample
Any application using oauth2resourceserver-webflux default configuration, when receiving an expired JWT, will return a generic BearerTokenError as defined on JwtReactiveAuthenticationManager.
Metadata
Metadata
Assignees
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancementA general enhancement