Skip to content

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI #15852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bodograumann opened this issue Sep 25, 2024 · 0 comments · Fixed by #15853
Closed

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI #15852

bodograumann opened this issue Sep 25, 2024 · 0 comments · Fixed by #15853
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@bodograumann
Copy link
Contributor

Describe the bug
JwtDecoderProviderConfigurationUtils use UriComponentsBuilder to modify a URI in oidc, oidcRfc8414 and oauth.
Due to a known issue in UriComponents builder (spring-projects/spring-framework#27774), this produces invalid URIs in the cases where the URI contains an authority, but no host.
These still come up in practice though, e.g. see the following partial backtrace:

Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://elated_sutherland:8080/auth/realms/my-realm"
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:178)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:90)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.lambda$withIssuerLocation$2(NimbusJwtDecoder.java:226)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:389)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:405)
        at org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.lambda$jwtDecoderByIssuerUri$3(OAuth2ResourceServerJwtConfiguration.java:159)
        at org.springframework.security.oauth2.jwt.SupplierJwtDecoder.lambda$new$0(SupplierJwtDecoder.java:36)
        ... 88 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http:/auth/realms/my-realm/.well-known/openid-configuration": Failed to select a proxy
        at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:915)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:895)
        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:740)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:167)
        ... 94 common frames omitted

To Reproduce

import org.springframework.web.util.UriComponentsBuilder;

import java.net.URI;
import java.util.Collections;

String rawUrl = "http://elated_sutherland:8080/auth/realms/my-realm";
URI uri = URI.create(rawUrl);
System.out.println(uri.getAuthority());
System.out.println(uri.getHost());
URI newUrl = UriComponentsBuilder.fromUri(uri)
  .replacePath(uri.getPath() + "/.well-known/openid-configuration")
  .build(Collections.emptyMap());
System.out.println(newUrl);

shows what happens. It outputs:

elated_sutherland:8080
null
http:/auth/realms/my-realm/.well-known/openid-configuration

Expected behavior
The correct oidc URI should be generated: http://elated_sutherland:8080/auth/realms/my-realm/.well-known/openid-configuration.
@bodograumann bodograumann added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Sep 25, 2024
@bodograumann bodograumann mentioned this issue Sep 25, 2024
Merged
bodograumann added a commit to bodograumann/spring-framework that referenced this issue Sep 30, 2024
@bodograumann
Reparse URI when host is missing
b48e7d8 
Closes spring-projects#27774
Closes spring-projects/spring-security#15852
@bodograumann bodograumann mentioned this issue Sep 30, 2024
Closed
jzheaux pushed a commit to bodograumann/spring-security that referenced this issue Feb 20, 2025
@bodograumann @jzheaux
Avoid UriComponentsBuilder.fromUri
d716b86 
Closes spring-projectsgh-15852
jzheaux added a commit to bodograumann/spring-security that referenced this issue Feb 20, 2025
@jzheaux
JwtDecoders Supports Hostnames with Underscores
571135d 
In the process of verifying spring-projectsgh-15852, another issue with URI was discovered.
This commit adds tests to the uri-computing methods and changes them to use
UriComponents instead of URI.

Issue spring-projectsgh-15852
jzheaux added a commit to bodograumann/spring-security that referenced this issue Feb 20, 2025
@jzheaux
ClientRegistrations supports hostnames with underscores
49e5d37 
Issue spring-projectsgh-15852
jzheaux added a commit that referenced this issue Feb 20, 2025
@jzheaux
JwtDecoders Supports Hostnames with Underscores
3d15be1 
In the process of verifying gh-15852, another issue with URI was discovered.
This commit adds tests to the uri-computing methods and changes them to use
UriComponents instead of URI.

Issue gh-15852
jzheaux added a commit that referenced this issue Feb 20, 2025
@jzheaux
ClientRegistrations supports hostnames with underscores
b6c813c 
Issue gh-15852
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
1 participant
@bodograumann