Announcement Announcement Module
Collapse
No announcement yet.
wrong error for when using a bad client_secret Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • wrong error for when using a bad client_secret

    Hello,

    I believe there is a minor bug with the current snapshot version, here is the scenario:

    Request an access token using client_credentials grant_type, using an invalid client secret;
    Expected result should be HTTP 401, and error code should be "invalid_client", instead I get
    HTTP 401 (which is correct) but error code is "unauthorized". This behavior seam to be introduced when the DefaultWebResponseExceptionTranslator refactor was made.

    Here is what happens "internally" in case it helps:
    AbstractUserDetailsAuthenticationProvider->authenticate->additionalAuthenticationChecks -> throws BadCredentialsException which is not a OAuth2Exception, but it is an AuthenticationException which gets mapped by the WebResponseExceptionTranslator to "unauthorized".

    Should I file a bug for this?

    Thanks,

    Paulo

  • #2
    Yes, please. I think you are fighting with Geerd (http://forum.springsource.org/showth...010#post409010) for the right to deal with that exception. I merged his pull request because it didn't fail any integration tests. Can you come up with a test and a fix that prevents the OAuth2Exception from being thrown too early in the chain?

    Comment


    • #3
      Actually, scratch that last comment. If you are trying to get a token with client_credentials you are not hitting a protected resource. It should work as you expect, so raise a JIRA ticket (and a pull request if you have a proposal for fixing it). An integration test would help (in fact I thought there was one).

      Comment


      • #4
        Hi, I will file the bug.
        Yes, I can came up with the test, it will be after my work hours, so at night PST.

        Thank you,
        Paulo

        Comment


        • #5
          I added an integration test which passes, so it will be interesting to see what the difference is in your scenario.

          Comment


          • #6
            Something Paulo didn't mention was that this works fine if the client credentials are passed in the body of the token request, but fails (as described) if the client credentials are passed in the Authorization header.

            Comment


            • #7
              Could you please let me know the test name (Class name and test name), so that I can make the necessary adjustments?

              Yes, what Nick said is likely the difference.

              Paulo

              Comment


              • #8
                Look at sparklr2: org.springframework.security.oauth2.provider.TestC lientCredentialsProvider.testInvalidCredentials()

                Comment


                • #9
                  cool, will use the test, make any necessary adjustments and let you know the results as soon I get of some meetings. (ETA 3 hours).
                  Thanks,
                  Paulo

                  Comment

                  Working...
                  X