JWT tokens parsed/verified twice. - Githubissues

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

http://github.com/spring-projects/spring-security-oauth

Apache License 2.0

4.7k stars 4.04k forks source link

JWT tokens parsed/verified twice. #798

Open testark opened 8 years ago

testark commented 8 years ago

https://github.com/spring-projects/spring-security-oauth/blob/2.0.9.RELEASE/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java#L229 https://github.com/spring-projects/spring-security-oauth/blob/2.0.9.RELEASE/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java#L238

both trigger parsing/validation of a given JWT token, since

https://github.com/spring-projects/spring-security-oauth/blob/2.0.9.RELEASE/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java#L70

delegates on

https://github.com/spring-projects/spring-security-oauth/blob/2.0.9.RELEASE/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java#L74

which, of course, triggers parsing/validation. Is there anything that can be done to prevent this?

testark commented 8 years ago

@dsyer could you or anyone else please have a look at this?

dsyer commented 8 years ago

Is it a big deal? If it is and you have a proposal on how to fix it, please send a pull request.