OidcBackChannelLogoutWebFilter error response is not a correct JSON

[katya-tis]

Describe the bug
When OidcBackChannelLogoutWebFilter returns an error from handleAuthenticationFailure(...) method:

• the response content type is not set to "application/json";
• error_uri is missing closing quotes;
• the text for at least the description should be escaped for special characters.

To Reproduce
Call the oidc back channel logout endpoint without a logout token for example. The response is:

{
	"error_code": "invalid_request",
	"error_description": "An error occurred while attempting to decode the Jwt: Cannot invoke "String.indexOf(String)" because "s" is null",
	"error_uri: "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation"
}

Expected behavior
The expected response should look like this:

{
    "error_code": "invalid_request",
    "error_description": "An error occurred while attempting to decode the Jwt: Cannot invoke \"String.indexOf(String)\" because \"s\" is null",
    "error_uri": "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation"
}

[harpreets789]

Should the description field in the error response escape quotes for safe use in HTML (e.g., converting " to "), or should it simply escape strings as described in the issue (i.e., using basic string escaping for special characters)?

[harpreets789]

@sjohnr @jzheaux

Request for Clarification:

• Given that the error_description is part of a JSON response, should I escape the string for HTML use (using HtmlUtils), for JSON use (using StringEscapeUtils.escapeJson), or simply handle specific characters using basic string replacement (with String.replace())?

• Which approach would be most appropriate for this case considering both the context and the potential security concerns?

[AndreasKasparek]

@harpreets789 as this is a back-channel call from the OP and https://openid.net/specs/openid-connect-backchannel-1_0.html#BCResponse specifies that an application/json response can be returned in error case, I would expect the error description to be JSON-escaped. If the OP wants to display any of that information on an HTML page, it would by its responsibility to escape it then accordingly.

[jzheaux]

@katya-tis, thanks for the report. We'll target the next maintenance release for a fix.

I'd like to know something else in addition to improving the serialization behavior; the error message in your payload appears to be a null pointer exception. Can you share a stack trace or give me more information regarding where the null pointer exception is from so we can make that error message more informative?

[jzheaux]

Closed in 3d1e4b5

[AndreasKasparek]

@jzheaux The null pointer exception comes from com.nimbusds.jwt.JWTParser#parse(String) method when the given string is null. For the test the back-channel logout endpoint was called without an actual logout token. The org.springframework.security.config.web.server.OidcLogoutServerAuthenticationConverter just reads the logout_token parameter from the form data and creates a new OidcLogoutAuthenticationToken from it. Neither the converter nor the ctor of the token class checks if the string is null.