Skip to content

OAuth2ErrorResponseErrorHandler throws IllegalArgumentException for a nonstandard HTTP status code response #9741

@mjustin

Description

@mjustin

Describe the bug
I have a Spring application using spring-security-oauth2-client. It authenticates via OAuth2 using AuthorizedClientServiceOAuth2AuthorizedClientManager.authorize(OAuth2AuthorizeRequest authorizeRequest).

The authorization endpoint is in TIBCO Cloud Mashery. Due to a typo in the URL, the OAuth endpoint failed with Mashery's custom 596 error code. However, rather than return a sensible error in this scenario, the Spring code throws an IllegalArgumentException trying to convert the status code to an HttpStatus:

java.lang.IllegalArgumentException: No matching constant for [596]
	at org.springframework.http.HttpStatus.valueOf(HttpStatus.java:538)
	at org.springframework.http.client.AbstractClientHttpResponse.getStatusCode(AbstractClientHttpResponse.java:33)
	at org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler.handleError(OAuth2ErrorResponseErrorHandler.java:51)
	at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
	at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782)
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740)
	at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:641)
	at org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient.getTokenResponse(DefaultClientCredentialsTokenResponseClient.java:75)
	at org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient.getTokenResponse(DefaultClientCredentialsTokenResponseClient.java:52)
	at org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider.authorize(ClientCredentialsOAuth2AuthorizedClientProvider.java:86)
	at org.springframework.security.oauth2.client.DelegatingOAuth2AuthorizedClientProvider.authorize(DelegatingOAuth2AuthorizedClientProvider.java:67)
	at org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager.authorize(AuthorizedClientServiceOAuth2AuthorizedClientManager.java:140)

This is due to the usage of ClientHttpResponse.getStatusCode() in OAuth2ErrorResponseErrorHandler.java:

if (!HttpStatus.BAD_REQUEST.equals(response.getStatusCode())) {
this.defaultErrorHandler.handleError(response);
}

Replacing getStatusCode with getRawStatusCode should be sufficient to fix this issue, in particular given that DefaultResponseErrorHandler already properly handles unknown status codes.

        if (HttpStatus.BAD_REQUEST.value() != response.getRawStatusCode()) {
            this.defaultErrorHandler.handleError(response); 
        } 

To Reproduce
Call AuthorizedClientServiceOAuth2AuthorizedClientManager.authorize against an endpoint that returns a nonstandard error HTTP status code (any 4xx or 5xx series response code not defined in HttpStatus). An IllegalArgumentException is thrown with message No matching constant for [596] (replacing 596 with the actual response code).

Expected behavior
This should fail in the exact same way as any other non-400 error response codes, namely calling DefaultResponseErrorHandler.handleError with the ClientHttpResponse.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions