Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI #15852

Open
bodograumann opened this issue Sep 25, 2024 · 0 comments · May be fixed by #15853 or spring-projects/spring-framework#33614
Open

JwtDecoderProviderConfigurationUtils incorrectly handles issuer URI #15852

bodograumann opened this issue Sep 25, 2024 · 0 comments · May be fixed by #15853 or spring-projects/spring-framework#33614
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@bodograumann
Copy link

Describe the bug
JwtDecoderProviderConfigurationUtils use UriComponentsBuilder to modify a URI in oidc, oidcRfc8414 and oauth.
Due to a known issue in UriComponents builder (spring-projects/spring-framework#27774), this produces invalid URIs in the cases where the URI contains an authority, but no host.
These still come up in practice though, e.g. see the following partial backtrace:

Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "http://elated_sutherland:8080/auth/realms/my-realm"
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:178)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:90)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.lambda$withIssuerLocation$2(NimbusJwtDecoder.java:226)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:389)
        at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:405)
        at org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.lambda$jwtDecoderByIssuerUri$3(OAuth2ResourceServerJwtConfiguration.java:159)
        at org.springframework.security.oauth2.jwt.SupplierJwtDecoder.lambda$new$0(SupplierJwtDecoder.java:36)
        ... 88 common frames omitted
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "http:/auth/realms/my-realm/.well-known/openid-configuration": Failed to select a proxy
        at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:915)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:895)
        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:740)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:167)
        ... 94 common frames omitted

To Reproduce

import org.springframework.web.util.UriComponentsBuilder;

import java.net.URI;
import java.util.Collections;

String rawUrl = "http://elated_sutherland:8080/auth/realms/my-realm";
URI uri = URI.create(rawUrl);
System.out.println(uri.getAuthority());
System.out.println(uri.getHost());
URI newUrl = UriComponentsBuilder.fromUri(uri)
  .replacePath(uri.getPath() + "/.well-known/openid-configuration")
  .build(Collections.emptyMap());
System.out.println(newUrl);

shows what happens. It outputs:

elated_sutherland:8080
null
http:/auth/realms/my-realm/.well-known/openid-configuration

Expected behavior
The correct oidc URI should be generated: http://elated_sutherland:8080/auth/realms/my-realm/.well-known/openid-configuration.
@bodograumann bodograumann added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Sep 25, 2024
@bodograumann bodograumann linked a pull request Sep 25, 2024 that will close this issue
Open
bodograumann added a commit to bodograumann/spring-framework that referenced this issue Sep 30, 2024
@bodograumann
Reparse URI when host is missing
b48e7d8 
Closes spring-projects#27774
Closes spring-projects/spring-security#15852
@bodograumann bodograumann linked a pull request Sep 30, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
1 participant
@bodograumann