Fixed misleading OAuth2 error messages

Error messages sent by BearerTokenAccessDeniedHandler included
information about the scopes of the rejected token instead of
the scopes required by the resource.
* Removal of token scopes from error_description attribute.
* Removal of scope attribute from WWW-Authenticate response header.

Fixes gh-7089
This commit is contained in:
Édouard Hue
2019-07-10 21:48:18 +02:00
committed by Josh Cummings
parent b153d92b23
commit e8dd1325fd
5 changed files with 39 additions and 346 deletions

View File

@@ -108,7 +108,6 @@ import org.springframework.test.web.servlet.ResultMatcher;
import org.springframework.test.web.servlet.request.RequestPostProcessor;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -397,7 +396,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.mvc.perform(get("/requires-read-scope")
.with(bearerToken(token)))
.andExpect(status().isForbidden())
.andExpect(insufficientScopeHeader(""));
.andExpect(insufficientScopeHeader());
}
@Test
@@ -411,7 +410,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.mvc.perform(get("/requires-read-scope")
.with(bearerToken(token)))
.andExpect(status().isForbidden())
.andExpect(insufficientScopeHeader("message:write"));
.andExpect(insufficientScopeHeader());
}
@Test
@@ -497,7 +496,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.mvc.perform(get("/ms-requires-read-scope")
.with(bearerToken(token)))
.andExpect(status().isForbidden())
.andExpect(insufficientScopeHeader(""));
.andExpect(insufficientScopeHeader());
}
@@ -512,7 +511,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.mvc.perform(get("/ms-requires-read-scope")
.with(bearerToken(token)))
.andExpect(status().isForbidden())
.andExpect(insufficientScopeHeader("message:write"));
.andExpect(insufficientScopeHeader());
}
@Test
@@ -526,7 +525,7 @@ public class OAuth2ResourceServerConfigurerTests {
this.mvc.perform(get("/ms-deny")
.with(bearerToken(token)))
.andExpect(status().isForbidden())
.andExpect(insufficientScopeHeader("message:read"));
.andExpect(insufficientScopeHeader());
}
// -- Resource Server should not engage csrf
@@ -2230,12 +2229,11 @@ public class OAuth2ResourceServerConfigurerTests {
);
}
private static ResultMatcher insufficientScopeHeader(String scope) {
private static ResultMatcher insufficientScopeHeader() {
return header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer " +
"error=\"insufficient_scope\"" +
", error_description=\"The token provided has insufficient scope [" + scope + "] for this request\"" +
", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"" +
(StringUtils.hasText(scope) ? ", scope=\"" + scope + "\"" : ""));
", error_description=\"The request requires higher privileges than provided by the access token.\"" +
", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"");
}
private void mockWebServer(String response) {