Describe the bug
With spring-security-oauth2-jose-7.0.5 it is possible to have a loa with value null in a given jwt. For machine to machine communication, it makes no sense to set the loa, as no real user is present.
Implementation with spring-security-oauth2-jose-7.0.5:
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
Assert.notNull(token, "token cannot be null");
T claimValue = token.getClaim(this.claim);
if (this.test.test(claimValue)) {
return OAuth2TokenValidatorResult.success();
}
this.logger.debug(this.error.getDescription());
return OAuth2TokenValidatorResult.failure(this.error);
}A loa with null value is forwarded to the configured claim validator, e.g. something like..
@Bean
JwtClaimValidator<String> loaClaimValidator() {
return new JwtClaimValidator<>("loa", new Predicate<String>() {
@Override
public boolean test(final String loaClaimValue) {
return loaClaimValue == null;
}
});
}..configured within the WebSecurityConfig.
Implementation with spring-security-oauth2-jose-7.1.0:
@Override
public OAuth2TokenValidatorResult validate(Jwt token) {
Assert.notNull(token, "token cannot be null");
T claimValue = token.getClaim(this.claim);
if (claimValue != null) {
if (this.test.test(claimValue)) {
return OAuth2TokenValidatorResult.success();
}
}
this.logger.debug(this.error.getDescription());
return OAuth2TokenValidatorResult.failure(this.error);
}A loa with value null returns always an error, the custom validator is ignored.
To Reproduce
- Create a
jwt without a value for loa.
- Perform a request against an endpoint that validates the
jwt.
- The custom provided
JwtClaimValidator is NOT called.
OAuth2TokenValidatorResult.failure(this.error) is returned.
Expected behavior
- Create a
jwt without a value for loa.
- Perform a request against an endpoint that validates the
jwt.
- The custom provided
JwtClaimValidator is called.
OAuth2TokenValidatorResult.success() validator is returned, if custom validator returns true.
Describe the bug
With
spring-security-oauth2-jose-7.0.5it is possible to have aloawith valuenullin a givenjwt. For machine to machine communication, it makes no sense to set theloa, as no real user is present.Implementation with
spring-security-oauth2-jose-7.0.5:A
loawithnullvalue is forwarded to the configured claim validator, e.g. something like....configured within the
WebSecurityConfig.Implementation with
spring-security-oauth2-jose-7.1.0:A
loawith valuenullreturns always an error, the custom validator is ignored.To Reproduce
jwtwithout a value forloa.jwt.JwtClaimValidatoris NOT called.OAuth2TokenValidatorResult.failure(this.error)is returned.Expected behavior
jwtwithout a value forloa.jwt.JwtClaimValidatoris called.OAuth2TokenValidatorResult.success()validator is returned, if custom validator returnstrue.