Conditionally resolve bearer token from request parameters
Before this commit, the DefaultBearerTokenResolver unconditionally resolved the request parameters to check whether multiple tokens are present in the request and reject those requests as invalid. This commit changes this behaviour to resolve the request parameters only if parameter token is supported for the specific request according to spec (RFC 6750). Closes gh-10326
This commit is contained in:
committed by
Steve Riesenberg
parent
88c64b3b7b
commit
6db58cbf8a
@@ -360,7 +360,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.spring.register(JwkSetUriConfig.class).autowire();
|
||||
// engage csrf
|
||||
// @formatter:off
|
||||
this.mvc.perform(post("/").with(bearerToken("token").asParam()))
|
||||
this.mvc.perform(post("/").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken("token").asParam()))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(header().doesNotExist(HttpHeaders.WWW_AUTHENTICATE));
|
||||
// @formatter:on
|
||||
@@ -370,7 +370,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
public void postWhenCsrfDisabledWithBearerTokenAsFormParameterThenIgnoresToken() throws Exception {
|
||||
this.spring.register(CsrfDisabledConfig.class).autowire();
|
||||
// @formatter:off
|
||||
this.mvc.perform(post("/").with(bearerToken("token").asParam()))
|
||||
this.mvc.perform(post("/").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken("token").asParam()))
|
||||
.andExpect(status().isUnauthorized())
|
||||
.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
|
||||
// @formatter:on
|
||||
@@ -536,7 +536,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
mockRestOperations(jwks("Default"));
|
||||
String token = this.token("ValidNoScopes");
|
||||
// @formatter:off
|
||||
this.mvc.perform(post("/authenticated").with(bearerToken(token)))
|
||||
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken(token)))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(content().string("test-subject"));
|
||||
// @formatter:on
|
||||
@@ -558,7 +558,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
mockRestOperations(jwks("Default"));
|
||||
String token = this.token("Expired");
|
||||
// @formatter:off
|
||||
this.mvc.perform(post("/authenticated").with(bearerToken(token)))
|
||||
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken(token)))
|
||||
.andExpect(status().isUnauthorized())
|
||||
.andExpect(invalidTokenHeader("An error occurred while attempting to decode the Jwt"));
|
||||
// @formatter:on
|
||||
@@ -626,7 +626,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.mvc.perform(get("/authenticated").with(bearerToken(JWT_TOKEN)))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(content().string(JWT_SUBJECT));
|
||||
this.mvc.perform(post("/authenticated").param("access_token", JWT_TOKEN))
|
||||
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).param("access_token", JWT_TOKEN))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(content().string(JWT_SUBJECT));
|
||||
// @formatter:on
|
||||
@@ -659,6 +659,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
given(decoder.decode(anyString())).willReturn(JWT);
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder request = post("/authenticated")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.param("access_token", JWT_TOKEN)
|
||||
.with(bearerToken(JWT_TOKEN))
|
||||
.with(csrf());
|
||||
|
||||
@@ -261,6 +261,7 @@ public class OAuth2ResourceServerBeanDefinitionParserTests {
|
||||
public void postWhenBearerTokenAsFormParameterThenIgnoresToken() throws Exception {
|
||||
this.spring.configLocations(xml("JwkSetUri")).autowire();
|
||||
this.mvc.perform(post("/") // engage csrf
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.param("access_token", "token")).andExpect(status().isForbidden())
|
||||
.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer")); // different
|
||||
// from
|
||||
@@ -451,7 +452,7 @@ public class OAuth2ResourceServerBeanDefinitionParserTests {
|
||||
// @formatter:off
|
||||
this.mvc.perform(get("/authenticated").header("Authorization", "Bearer token"))
|
||||
.andExpect(status().isNotFound());
|
||||
this.mvc.perform(post("/authenticated").param("access_token", "token"))
|
||||
this.mvc.perform(post("/authenticated").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).param("access_token", "token"))
|
||||
.andExpect(status().isNotFound());
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -477,6 +478,7 @@ public class OAuth2ResourceServerBeanDefinitionParserTests {
|
||||
this.spring.configLocations(xml("MockJwtDecoder"), xml("AllowBearerTokenInBody")).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder request = post("/authenticated")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.param("access_token", "token")
|
||||
.header("Authorization", "Bearer token")
|
||||
.with(csrf());
|
||||
|
||||
Reference in New Issue
Block a user