Skip to content

ServerBearerTokenAuthenticationConverter does not support form encoded body parameter #15818

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jonah1und1 opened this issue Sep 17, 2024 · 4 comments
Closed

ServerBearerTokenAuthenticationConverter does not support form encoded body parameter #15818

jonah1und1 opened this issue Sep 17, 2024 · 4 comments
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Milestone
6.5.x

Comments

@jonah1und1
Copy link
Contributor

Describe the bug
When using opaque tokens with an OAuth 2 resource server, webflux's ServerBearerTokenAuthenticationConverter does not support authentication via url-encoded POST requests with their access token as a body parameter.
RFC-6750 Sec. 2.2 describes this behaviour and it is supported by DefaultBearerTokenResolver in mvc.

To Reproduce
Create a POST endpoint for which authentication with an OAuth 2 resource server with an opaque token is needed. Doing so with the reactive stack does not allow for authentication via a body parameter.

Expected behavior
Providing a body parameter with a valid access token named access_token should authenticate the request.

Sample
A sample project with designated test cases for the mvc and reactive stack can be found here:
https://github.com/jonah1und1/spring-security-rfc6750-2.2
@jonah1und1 jonah1und1 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Sep 17, 2024
@jonah1und1 jonah1und1 mentioned this issue Sep 17, 2024
Closed
@sjohnr sjohnr added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed type: bug A general bug labels Sep 19, 2024
@sjohnr sjohnr self-assigned this Sep 19, 2024
@jonah1und1
Copy link
Contributor Author

Any updates on this?
I happily improve on the issue description and/or pull request if needed.

@sjohnr
Copy link
Member

sjohnr commented Oct 2, 2024
edited
Loading

@jonah1und1 thanks for checking. We are working on a few high priority items for the release and then I will be reviewing your PR. If you would like to get a head start, please check the PR for modern java features from Java 11+ and switch back to corresponding Java 8 features. We are not yet ready to update most of the source code to Java 17 features because we are following Spring Framework's lead on which language features we are using.

@jonah1und1
Copy link
Contributor Author

@sjohnr Thank you. I will do that.

jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Oct 2, 2024
@jonah1und1
Merge branch 'main' into spring-projectsgh-15818
bbe31b5
@jonah1und1
Copy link
Contributor Author

@sjohnr Did you have any time to take a look at the PR yet?

jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Oct 29, 2024
@jonah1und1
Merge branch 'main' into spring-projectsgh-15818
f478022
jonah1und1 added a commit to jonah1und1/spring-security that referenced this issue Oct 29, 2024
@jonah1und1
Add missing javaDoc
0b7b3ec 
Issue spring-projectsgh-15818
@sjohnr sjohnr removed the status: waiting-for-triage An issue we've not yet triaged label Oct 30, 2024
@sjohnr sjohnr added this to the 6.5.x milestone Oct 30, 2024
@sjohnr sjohnr added the status: duplicate A duplicate of another issue label Oct 30, 2024
sjohnr pushed a commit that referenced this issue Apr 7, 2025
@jonah1und1 @sjohnr
Add support for access token in body parameter as per rfc 6750 Sec. 2.2
9674532 
Issue gh-15818
@sjohnr sjohnr closed this as completed in 1fb3fc8 Apr 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
6.5.x
Development

No branches or pull requests
2 participants
@sjohnr @jonah1und1