Closed santhosh-kumar3 closed 4 years ago
@vpavic can you confirm whether or not it was intentional to leave the =
signs out of the capture?
It appears that =
is part of the definition:
b64token = 1*( ALPHA / DIGIT /
"-" / "." / "_" / "~" / "+" / "/" ) *"="
credentials = "Bearer" 1*SP b64token
Sorry for the late follow-up - I don't recall any specific intent around that.
Describe the bug DefaultBearerTokenResolver.resolve is returning bearer token by ignoring padding indicators (=). Example of bearer token that's obtained from auth server is 'A66dXefVMHSGWBrUA5Iw='. Due to this, auth server token validation request is failing with InvalidTokenException (as it's not able to load the resolved token (without = char) from it's database
To Reproduce Obtain Opaque token from authserver end point /oauth/token and supply this token to resource server which has been configured with below beans that resolves bearer token and validates it with auth server
Resource server bean configuration:
@Bean AuthenticationProvider authProivder() { var introspector = new new NimbusOpaqueTokenIntrospector('auth-server-check-token-endpoint', 'client-id', 'client-secret'); return new OpaqueTokenAuthenticationProvider(introspector); }
Resource server version info: org.springframework.security:spring-security-oauth2-resource-server:5.2.2.RELEASE
Auth server version info: org.springframework.security.oauth:spring-security-oauth2:2.4.1.RELEASE
Expected behavior DefaultBearerTokenResolver.resolve() should return the same token (that's been supplied in the header) after validating it