From 606bf6b38d82c6740cc47de15f8ca883fd1b5401 Mon Sep 17 00:00:00 2001
From: Jonas Erbe <jonas.erbe@inovex.de>
Date: Mon, 22 Nov 2021 19:47:01 +0100
Subject: [PATCH] Fix JwtClaimValidator wrong error code

Previously JwtClaimValidator returned the invalid_request
error on claim validation failure.

But validators have to return invalid_token errors on failure
according to:

https://datatracker.ietf.org/doc/html/rfc6750#section-3.1.

Closes gh-10337
---
 .../security/oauth2/jwt/JwtClaimValidator.java   |  4 ++--
 .../oauth2/jwt/JwtClaimValidatorTests.java       | 16 ++++++++++++----
 .../oauth2/jwt/JwtTimestampValidatorTests.java   |  5 ++++-
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
index c9b4a91d5b..c07da4ce11 100644
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,7 +49,7 @@ public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
 		Assert.notNull(test, "test can not be null");
 		this.claim = claim;
 		this.test = test;
-		this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST,
+		this.error = new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
 				"The " + this.claim + " claim is not valid",
 				"https://tools.ietf.org/html/rfc6750#section-3.1");
 	}
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtClaimValidatorTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtClaimValidatorTests.java
index 968af2a8ab..14ddffe7c8 100644
--- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtClaimValidatorTests.java
+++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtClaimValidatorTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,14 @@
  */
 package org.springframework.security.oauth2.jwt;
 
+import java.util.Collection;
+import java.util.Objects;
+import java.util.function.Predicate;
+
 import org.junit.Test;
+
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 
 import java.util.function.Predicate;
@@ -44,9 +51,10 @@ public class JwtClaimValidatorTests {
 
 	@Test
 	public void validateWhenClaimFailsTheTestThenReturnsFailure() {
-		Jwt jwt = jwt().claim(ISS, "http://abc").build();
-		assertThat(validator.validate(jwt).getErrors().isEmpty())
-				.isFalse();
+		Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, "http://abc").build();
+		Collection<OAuth2Error> details = this.validator.validate(jwt).getErrors();
+		assertThat(this.validator.validate(jwt).getErrors().isEmpty()).isFalse();
+		assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
 	}
 
 	@Test
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTimestampValidatorTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTimestampValidatorTests.java
index ed4ffcae19..eb4028f704 100644
--- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTimestampValidatorTests.java
+++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTimestampValidatorTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@ import java.time.ZoneId;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Map;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 import org.junit.Test;
@@ -60,6 +61,7 @@ public class JwtTimestampValidatorTests {
 		Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
 
 		assertThat(messages).contains("Jwt expired at " + oneHourAgo);
+		assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
 	}
 
 	@Test
@@ -74,6 +76,7 @@ public class JwtTimestampValidatorTests {
 		Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
 
 		assertThat(messages).contains("Jwt used before " + oneHourFromNow);
+		assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
 	}
 
 	@Test