Skip to content

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI #15852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
bodograumann opened this issue Sep 25, 2024 · 0 comments · Fixed by #15853
Closed

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI #15852

bodograumann opened this issue Sep 25, 2024 · 0 comments · Fixed by #15853
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@bodograumann
Copy link
Contributor

Describe the bug
JwtDecoderProviderConfigurationUtils use UriComponentsBuilder to modify a URI in oidc, oidcRfc8414 and oauth.
Due to a known issue in UriComponents builder (spring-projects/spring-framework#27774), this produces invalid URIs in the cases where the URI contains an authority, but no host.
These still come up in practice though, e.g. see the following partial backtrace:

Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://elated_sutherland:8080/auth/realms/my-realm"
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:178)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:90)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.lambda$withIssuerLocation$2(NimbusJwtDecoder.java:226)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:389)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:405)
        at org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.lambda$jwtDecoderByIssuerUri$3(OAuth2ResourceServerJwtConfiguration.java:159)
        at org.springframework.security.oauth2.jwt.SupplierJwtDecoder.lambda$new$0(SupplierJwtDecoder.java:36)
        ... 88 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http:/auth/realms/my-realm/.well-known/openid-configuration": Failed to select a proxy
        at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:915)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:895)
        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:740)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:167)
        ... 94 common frames omitted

To Reproduce

import org.springframework.web.util.UriComponentsBuilder;

import java.net.URI;
import java.util.Collections;

String rawUrl = "http://elated_sutherland:8080/auth/realms/my-realm";
URI uri = URI.create(rawUrl);
System.out.println(uri.getAuthority());
System.out.println(uri.getHost());
URI newUrl = UriComponentsBuilder.fromUri(uri)
  .replacePath(uri.getPath() + "/.well-known/openid-configuration")
  .build(Collections.emptyMap());
System.out.println(newUrl);

shows what happens. It outputs:

elated_sutherland:8080
null
http:/auth/realms/my-realm/.well-known/openid-configuration

Expected behavior
The correct oidc URI should be generated: http://elated_sutherland:8080/auth/realms/my-realm/.well-known/openid-configuration.

@bodograumann bodograumann added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Sep 25, 2024
bodograumann added a commit to bodograumann/spring-framework that referenced this issue Sep 30, 2024
jzheaux pushed a commit to bodograumann/spring-security that referenced this issue Feb 20, 2025
jzheaux added a commit to bodograumann/spring-security that referenced this issue Feb 20, 2025
In the process of verifying spring-projectsgh-15852, another issue with URI was discovered.
This commit adds tests to the uri-computing methods and changes them to use
UriComponents instead of URI.

Issue spring-projectsgh-15852
jzheaux added a commit to bodograumann/spring-security that referenced this issue Feb 20, 2025
jzheaux added a commit that referenced this issue Feb 20, 2025
In the process of verifying gh-15852, another issue with URI was discovered.
This commit adds tests to the uri-computing methods and changes them to use
UriComponents instead of URI.

Issue gh-15852
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
1 participant