Open rwinch opened 6 years ago
For the given scenario where alg=none
, the error code should be invalid_token
instead of invalid_request
.
As per spec:
invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.
JwtAuthenticationProvider
assumes invalid_request
for all cases where JwtDecoder.decode()
fails. This is not the case in all instances. The resulting JwtException
should be evaluated to determine the appropriate error_code
and error_description
to set.
Currently, Nimbus offers no effective way to evaluate the nature of the exception short of parsing the error message itself, which would likely prove brittle over time.
To that end, I've logged an issue with Nimbus to offer a couple of ideas on how their exceptions could be more distinguishable: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/264/badjwtexception-contains-no
In the meantime, @rwinch suggested the idea of extending the process(PlainJWT)
method and throw our own exception. This will address this specific leak completely, though hopefully Nimbus can be enhanced to allow us to address other exception customization in the future.
@jgrandja, good points - #3 is related to your point, too, I believe
@jzheaux Yes #3 is related
Summary
Submitting an algorithm of none produces an error stating to "extend class to handle". The error message reveals too much developer information and is not well worded for a user. We should use an error message that states that an alg none is not supported. We should not discuss anything about extending a class.