Skip to content

Fix OAuth2TokenIntrospection issuer validation and add unit tests #2206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix OAuth2TokenIntrospection issuer validation and add unit tests #2206

wants to merge 2 commits into from

Conversation

ramesh-nair-dev
Copy link

Summary

This PR updates the OAuth2TokenIntrospection class to correctly handle the 'issuer' (iss) claim. The changes ensure that the issuer can be either a valid URI or a plain string without throwing exceptions during token introspection validation.

Changes

  • Updated OAuth2TokenIntrospection.Builder to accept non-URI issuer strings.
  • Enhanced validateIssuer method to allow plain string issuers while still supporting valid URIs.
  • Added unit tests to cover:
    • Non-URI issuer strings
    • Valid URI issuer strings
  • Ensured existing claim validations (active, scope, exp, iat, nbf, aud) remain intact.

Benefits

  • Prevents unnecessary exceptions when using non-URI issuer strings.
  • Improves robustness and flexibility of OAuth2 token introspection.
  • Increases test coverage for issuer-related functionality.

@ramesh-nair-dev
Add OAuth2TokenIntrospection builder and comprehensive unit tests
2e4f2ed 
Signed-off-by: Ramesh <ramesh200212@gmail.com>
@ramesh-nair-dev ramesh-nair-dev force-pushed the fix/token-introspection-issuer branch from 9058cf9 to 2e4f2ed Compare September 28, 2025 11:25
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 28, 2025
MatthiasDrewsCS
MatthiasDrewsCS reviewed Sep 29, 2025
View reviewed changes
.../java/org/springframework/security/oauth2/server/authorization/OAuth2TokenIntrospection.java Outdated
try {
new URI(url.toString()).toURL();
// Try parsing as URI
new URI(str);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there really a benefit from first trying to parse a URI, and if this fails, still continue successfully? IMHO it would be enough to just check if the string is blank or not. Am I missing something?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback You’re right — if we allow non-URI strings (like client IDs), then attempting to parse as a URI may not add much value.

My initial thought behind keeping the URI parsing was to still preserve compatibility with tokens where iss is a proper URI, and not reject them unintentionally. But since the validation already ensures the string isn’t blank, simplifying to just a non-blank check would be sufficient and cleaner.

I can update the implementation to only validate that iss is not blank. Would you prefer that direction?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I would prefer simplicity. Compatibility is still preserved with such a simpler approach

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will make the changes

@ramesh-nair-dev ramesh-nair-dev force-pushed the fix/token-introspection-issuer branch 2 times, most recently from 5b777dd to dbd464d Compare September 30, 2025 15:49
@ramesh-nair-dev
Copy link
Author

Hey matt can you please review changes

@MatthiasDrewsCS
Copy link

I like that. It would be even better to also slightly adjust the error message to something like "iss must not be empty"

@ramesh-nair-dev
refactor: simplify validateIssuer and use clearer error message " iss…
587d526 
… must not be empty\

Signed-off-by: Ramesh <ramesh200212@gmail.com>
@ramesh-nair-dev ramesh-nair-dev force-pushed the fix/token-introspection-issuer branch from dbd464d to 587d526 Compare October 1, 2025 06:16
@ramesh-nair-dev
Copy link
Author

I like that. It would be even better to also slightly adjust the error message to something like "iss must not be empty"

I have made the changes please review it

@ramesh-nair-dev
Copy link
Author

Thanks @MatthiasDrewsCS for the review and approval
Could a maintainer please approve the workflows and merge if everything looks good?

@jgrandja
Copy link
Collaborator

jgrandja commented Oct 8, 2025

@ramesh-nair-dev See comment

@jgrandja jgrandja self-assigned this Oct 8, 2025
@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 8, 2025
@jgrandja
Copy link
Collaborator

Closing as per comment

@jgrandja jgrandja closed this Oct 10, 2025
@jgrandja jgrandja added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@MatthiasDrewsCS MatthiasDrewsCS MatthiasDrewsCS approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jgrandja jgrandja

Labels

status: declined A suggestion or change that we don't feel we should currently apply

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ramesh-nair-dev @MatthiasDrewsCS @jgrandja @spring-projects-issues