Fix JwtClaimValidator wrong error code

Previously JwtClaimValidator returned the invalid_request
error on claim validation failure.

But validators have to return invalid_token errors on failure
according to:

https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.

Closes gh-10337
This commit is contained in:
Jonas Erbe 2021-11-22 19:47:01 +01:00 committed by Josh Cummings
parent 5a47e17a0d
commit 606bf6b38d
3 changed files with 18 additions and 7 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -49,7 +49,7 @@ public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
Assert.notNull(test, "test can not be null");
this.claim = claim;
this.test = test;
this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
"The " + this.claim + " claim is not valid",
"https://tools.ietf.org/html/rfc6750#section-3.1");
}

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +15,14 @@
*/
package org.springframework.security.oauth2.jwt;
import java.util.Collection;
import java.util.Objects;
import java.util.function.Predicate;
import org.junit.Test;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import java.util.function.Predicate;
@ -44,9 +51,10 @@ public class JwtClaimValidatorTests {
@Test
public void validateWhenClaimFailsTheTestThenReturnsFailure() {
Jwt jwt = jwt().claim(ISS, "http://abc").build();
assertThat(validator.validate(jwt).getErrors().isEmpty())
.isFalse();
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, "http://abc").build();
Collection<OAuth2Error> details = this.validator.validate(jwt).getErrors();
assertThat(this.validator.validate(jwt).getErrors().isEmpty()).isFalse();
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
@Test

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -22,6 +22,7 @@ import java.time.ZoneId;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.junit.Test;
@ -60,6 +61,7 @@ public class JwtTimestampValidatorTests {
Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
assertThat(messages).contains("Jwt expired at " + oneHourAgo);
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
@Test
@ -74,6 +76,7 @@ public class JwtTimestampValidatorTests {
Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
assertThat(messages).contains("Jwt used before " + oneHourFromNow);
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
@Test