Skip to content

JwtTimeStampValidator uses wrong error on token expiration #10319

New issue
New issue
Closed
Closed
JwtTimeStampValidator uses wrong error on token expiration#10319
Assignees
jzheaux
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
5.6.0-RC1
@jason076

Description

@jason076
jason076
opened on Sep 24, 2021

Summary

I think the JwtTimeStampValidator uses the wrong error type when a token expires:

spring-security/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java

Line 93 in 339a053

return new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST, reason,

As listed in https://datatracker.ietf.org/doc/html/rfc6750#section-3.1 it should use INVALID_TOKEN error.

Actual Behavior

JwtTimeStampValidator uses INVALID_REQUEST error when a token expires

Expected Behavior

JwtTimeStampValidator should uses INVALID_TOKEN error when a token expires

Version

5.5.2

Sample

spring-security/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java

Line 93 in 339a053

return new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST, reason,

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions