Conditionally resolve bearer token from request parameters

Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.

This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).

Closes gh-10326
This commit is contained in:
Philipp Neuschwander
2021-10-04 18:43:17 +02:00
committed by Steve Riesenberg
parent 88c64b3b7b
commit 6db58cbf8a
4 changed files with 52 additions and 16 deletions

View File

@@ -360,7 +360,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.spring.register(JwkSetUriConfig.class).autowire();
// engage csrf
// @formatter:off
this.mvc.perform(post("/").with(bearerToken("token").asParam()))
this.mvc.perform(post("/").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken("token").asParam()))
.andExpect(status().isForbidden())
.andExpect(header().doesNotExist(HttpHeaders.WWW_AUTHENTICATE));
// @formatter:on
@@ -370,7 +370,7 @@ public class OAuth2ResourceServerConfigurerTests {
public void postWhenCsrfDisabledWithBearerTokenAsFormParameterThenIgnoresToken() throws Exception {
this.spring.register(CsrfDisabledConfig.class).autowire();
// @formatter:off
this.mvc.perform(post("/").with(bearerToken("token").asParam()))
this.mvc.perform(post("/").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken("token").asParam()))
.andExpect(status().isUnauthorized())
.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
// @formatter:on
@@ -536,7 +536,7 @@ public class OAuth2ResourceServerConfigurerTests {
mockRestOperations(jwks("Default"));
String token = this.token("ValidNoScopes");
// @formatter:off
this.mvc.perform(post("/authenticated").with(bearerToken(token)))
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken(token)))
.andExpect(status().isOk())
.andExpect(content().string("test-subject"));
// @formatter:on
@@ -558,7 +558,7 @@ public class OAuth2ResourceServerConfigurerTests {
mockRestOperations(jwks("Default"));
String token = this.token("Expired");
// @formatter:off
this.mvc.perform(post("/authenticated").with(bearerToken(token)))
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken(token)))
.andExpect(status().isUnauthorized())
.andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt"));
// @formatter:on
@@ -626,7 +626,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.mvc.perform(get("/authenticated").with(bearerToken(JWT_TOKEN)))
.andExpect(status().isOk())
.andExpect(content().string(JWT_SUBJECT));
this.mvc.perform(post("/authenticated").param("access_token", JWT_TOKEN))
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).param("access_token", JWT_TOKEN))
.andExpect(status().isOk())
.andExpect(content().string(JWT_SUBJECT));
// @formatter:on
@@ -659,6 +659,7 @@ public class OAuth2ResourceServerConfigurerTests {
given(decoder.decode(anyString())).willReturn(JWT);
// @formatter:off
MockHttpServletRequestBuilder request = post("/authenticated")
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.param("access_token", JWT_TOKEN)
.with(bearerToken(JWT_TOKEN))
.with(csrf());

View File

@@ -261,6 +261,7 @@ public class OAuth2ResourceServerBeanDefinitionParserTests {
public void postWhenBearerTokenAsFormParameterThenIgnoresToken() throws Exception {
this.spring.configLocations(xml("JwkSetUri")).autowire();
this.mvc.perform(post("/") // engage csrf
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.param("access_token", "token")).andExpect(status().isForbidden())
.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer")); // different
// from
@@ -451,7 +452,7 @@ public class OAuth2ResourceServerBeanDefinitionParserTests {
// @formatter:off
this.mvc.perform(get("/authenticated").header("Authorization", "Bearer token"))
.andExpect(status().isNotFound());
this.mvc.perform(post("/authenticated").param("access_token", "token"))
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).param("access_token", "token"))
.andExpect(status().isNotFound());
// @formatter:on
}
@@ -477,6 +478,7 @@ public class OAuth2ResourceServerBeanDefinitionParserTests {
this.spring.configLocations(xml("MockJwtDecoder"), xml("AllowBearerTokenInBody")).autowire();
// @formatter:off
MockHttpServletRequestBuilder request = post("/authenticated")
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.param("access_token", "token")
.header("Authorization", "Bearer token")
.with(csrf());