Fixed misleading OAuth2 error messages
Error messages sent by BearerTokenAccessDeniedHandler included information about the scopes of the rejected token instead of the scopes required by the resource. * Removal of token scopes from error_description attribute. * Removal of scope attribute from WWW-Authenticate response header. Fixes gh-7089
This commit is contained in:
committed by
Josh Cummings
parent
b153d92b23
commit
e8dd1325fd
@@ -108,7 +108,6 @@ import org.springframework.test.web.servlet.ResultMatcher;
|
||||
import org.springframework.test.web.servlet.request.RequestPostProcessor;
|
||||
import org.springframework.util.LinkedMultiValueMap;
|
||||
import org.springframework.util.MultiValueMap;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
@@ -397,7 +396,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.mvc.perform(get("/requires-read-scope")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(insufficientScopeHeader(""));
|
||||
.andExpect(insufficientScopeHeader());
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -411,7 +410,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.mvc.perform(get("/requires-read-scope")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(insufficientScopeHeader("message:write"));
|
||||
.andExpect(insufficientScopeHeader());
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -497,7 +496,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.mvc.perform(get("/ms-requires-read-scope")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(insufficientScopeHeader(""));
|
||||
.andExpect(insufficientScopeHeader());
|
||||
|
||||
}
|
||||
|
||||
@@ -512,7 +511,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.mvc.perform(get("/ms-requires-read-scope")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(insufficientScopeHeader("message:write"));
|
||||
.andExpect(insufficientScopeHeader());
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -526,7 +525,7 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
this.mvc.perform(get("/ms-deny")
|
||||
.with(bearerToken(token)))
|
||||
.andExpect(status().isForbidden())
|
||||
.andExpect(insufficientScopeHeader("message:read"));
|
||||
.andExpect(insufficientScopeHeader());
|
||||
}
|
||||
|
||||
// -- Resource Server should not engage csrf
|
||||
@@ -2230,12 +2229,11 @@ public class OAuth2ResourceServerConfigurerTests {
|
||||
);
|
||||
}
|
||||
|
||||
private static ResultMatcher insufficientScopeHeader(String scope) {
|
||||
private static ResultMatcher insufficientScopeHeader() {
|
||||
return header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer " +
|
||||
"error=\"insufficient_scope\"" +
|
||||
", error_description=\"The token provided has insufficient scope [" + scope + "] for this request\"" +
|
||||
", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"" +
|
||||
(StringUtils.hasText(scope) ? ", scope=\"" + scope + "\"" : ""));
|
||||
", error_description=\"The request requires higher privileges than provided by the access token.\"" +
|
||||
", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"");
|
||||
}
|
||||
|
||||
private void mockWebServer(String response) {
|
||||
|
||||
Reference in New Issue
Block a user