lathspell
commented
4 years ago If I understand correctly the JwtAuthenticationProvider.authenticate() does it all correctly as it distinguishes between throwing an InvalidBearerTokenException for client errors and AuthenticationServiceException for infrastructure problems.
It's the BearerTokenAuthenticationFilter.doFilterInternal() that catches only the superclass AuthenticationException and logs it with DEBUG level. Maybe this would be a good point to catch AuthenticationServiceException first and log them with WARN level.
Summary
Currently, in spring-security-oauth2-resource-server / spring-security-oauth2-jose, when an exception occurs for retrieving the JWK set by nimbus library, it is silently swallowed.
Actual Behavior
Include OAuth2 resource server support according to documentation and specify spring.security.oauth2.resourceserver.jwt.jwk-set-uri to be some invalid URL. When a client tries to authenticate, no log message is logged on INFO or higher level, only on DEBUG level, but without the root cause, a com.nimbusds.jose.RemoteKeySourceException..
Expected Behavior
As retrieving the jwk-set is not a client error, I would expect it to be logged on WARN log level.
Configuration
Spring Boot with spring-security-oauth2-resource-server & spring-security-oauth2-jose dependencies.
Version
Sample
https://github.com/catchin/spring-security-oauth2-resource-server-example (see test)
Ideas
I'm not sure where to log this exception. Currently, I have an EntryPoint where I check if the RemoteKeySourceException appears somewhere in the OAuth2AuthenticationException causes. But this is not general purpose I think.