Announcement Announcement Module
Collapse
No announcement yet.
A Question on OAuth2 Error Codes Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • A Question on OAuth2 Error Codes

    Hi folks,

    I'm verifying some integration tests for some REST services which make use of spring security oauth2 (just upgraded to v1.0.5 but our tests date back to at least 1.0.2). I'm a bit confused and could use a hint or two.

    While looking at HTTP responses for an invalid credentials test (bad username and password) on client_credentials grant type, I saw "error": "unauthorized" in the response body.

    I didn't think much about it until I had a look at the oauth2 spec. I do not see an error code of "unauthorized" in the oauth2 spec.

    After having a peek with my debugger, I see that oauth2's DefaultWebResponseExceptionTranslator is effectively setting the error code to "unauthorized" while translating a spring security InsufficientAuthenticationException (we are using http basic auth with client credentials).

    I'm wondering if this is expected and if so, is it compliant with the oauth2 spec?

    Much thanks in advance for any help,

    -Lee-

  • #2
    As far as I remember the spec steers clear of authentication as much as possible, with good reason because authentication is a separate concern and one that is covered elsewhere. So I'm not surprised if you can't find a specific error code in the spec correspinding to a client credenrials authentication failure. If you can then I might have to consider making that behaviour optional, but in theory I would expect Spring Security to do the right thing here, and I'm surprised you hit the DefaultWebResponseExceptionTranslator at all.

    Comment


    • #3
      Thanks for the reply Dave,

      It could very well that we are misconfiguring and/or misunderstanding.

      I'm guessing that I am probably confused about what aspects of the dialog are covered by the oauth2 spec. I'll reread the oauth2 RFCs:
      1) The OAuth 2.0 Authorization Framework
      2) The OAuth 2.0 Authorization Framework: Bearer Token Usage

      -Lee-

      Comment


      • #4
        I'm not claiming I understand, but under section 4.4. Client Credentials Grant, section 4.4.3. Access Token Response states:

        If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.
        And section 5.2. Error Response describes an invalid_client error like so:

        Client authentication failed (e.g., unknown client, no
        client authentication included, or unsupported
        authentication method). The authorization server MAY
        return an HTTP 401 (Unauthorized) status code to indicate
        which HTTP authentication schemes are supported. If the
        client attempted to authenticate via the "Authorization"
        request header field, the authorization server MUST
        respond with an HTTP 401 (Unauthorized) status code and
        include the "WWW-Authenticate" response header field
        matching the authentication scheme used by the client.
        Should I be getting back an invalid_client error when bad credentials are provided when requesting a token for for the client credentials grant type?

        -Lee-

        Comment


        • #5
          My reading of that is that it's just a recapitulation of the normal HTTP Basic Authentication protocol, in which case I'd expect clients to be happy with a 401 and a WWW-Authenticate header (which I think you get right?). If you want a JSON body as well I think that can be done, but Spring Security doesn't take care of it for you out of the box.

          Comment


          • #6
            Hey Dave,

            The way I read it, Section 5.2 is describing when the invalid_client error code should be returned in the response body. So, I'm thinking the spec is saying it should be in there for this case. But I don't know how closely oauth2 implementations typically follow the spec.

            -Lee-

            Comment


            • #7
              I take the point, and I may take a look, but I'm not sure it's a hight priority for me to get this working as you want because clients can normally respond to the 401. Pull requests woulod be more than welcome though.

              Comment


              • #8
                Thanks Dave,

                I do appreciate you taking the time to respond.

                For me, it is not so much that my use case cares exactly about the response body. That said, security is really important to get right. In my case here my real issue was that I was scratching my head and going around in circles on:
                1) Have I misunderstood the spec?
                2) Is Spring oauth2 wrong here?
                3) Have a misconfigured something? If so, have I compromised security?

                -Lee-

                Comment

                Working...
                X