Skip to content

Reactive OAuth2 Bearer Token request spec compliance #5708

New issue
New issue
Closed
#10302
Closed
Reactive OAuth2 Bearer Token request spec compliance#5708
#10302
Assignees
DarrenForsythe
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug
Milestone
5.6.0-RC1
@jzheaux

Description

@jzheaux
jzheaux
opened on Aug 21, 2018

Like DefaultBearerTokenResolver, ServerBearerTokenAuthenticationConverter should fail when two access_token parameters are present.

Currently, the code does:

String parameterToken = request.getQueryParams().getFirst("access_token");

but the RFC states that if there is more than one access_token parameter, the request should be rejected instead of guessing which token to use (emphasis mine):

invalid_request
The request is missing a required parameter, includes an
unsupported parameter or parameter value, repeats the same
parameter, uses more than one method for including an access
token, or is otherwise malformed. The resource server SHOULD
respond with the HTTP 400 (Bad Request) status code.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions