Fix WebAuthn OIDC id_token missing sid and auth_time with SpringSessionBackedSessionRegistry#19215
Open
jyx-07 wants to merge 1 commit into
Open
Conversation
…ngSessionBackedSessionRegistry PublicKeyCredentialUserEntity did not implement AuthenticatedPrincipal, so SpringSessionBackedSessionRegistry fell through to toString() when extracting the principal name, causing session lookup to fail and both sid and auth_time claims to be omitted from the OIDC id_token. Fixes spring-projectsgh-19202 Signed-off-by: jyx-07 <s25069@gsm.hs.kr>
jyx-07
force-pushed
the
fix/gh-19202-webauthn-oidc-sid-auth-time
branch
from
38b1cb9 to
f4ce801
Compare
spring-projects-issues
added
the
status: waiting-for-triage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After WebAuthn login, the OIDC
id_tokenis missing bothsidandauth_timeclaims whenSpringSessionBackedSessionRegistryis used. Username/password login works correctly.Fixes #19202
Root Cause
OAuth2AuthorizationCodeAuthenticationProvider.getSessionInformation()passesprincipal.getPrincipal()(aPublicKeyCredentialUserEntity) toSessionRegistry.getAllSessions().SpringSessionBackedSessionRegistryextracts the principal name internally by wrapping it in anAbstractAuthenticationTokenand callinggetName(). SincePublicKeyCredentialUserEntitydid not implementUserDetails,AuthenticatedPrincipal, orjava.security.Principal,getName()fell through totoString(), producing a garbage string. Spring Session then found no sessions under that key, soSessionInformationwas never placed in the token context, andJwtGeneratorskipped both claims.SessionRegistryImplwas unaffected because it uses object equality (equals()/hashCode()) for lookup.Fix
Make
PublicKeyCredentialUserEntityextendAuthenticatedPrincipal. The interface already declaresString getName()returning the username, so no method changes are needed. This causesAbstractAuthenticationToken.getName()to hit theinstanceof AuthenticatedPrincipalbranch and return the correct username.