Skip to content

ServerBearerTokenAuthenticationConverter validates parameters when not enabled #16038

New issue
New issue
Closed
Closed
ServerBearerTokenAuthenticationConverter validates parameters when not enabled#16038
Assignees
jonah1und1
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: duplicateA duplicate of another issuetype: bugA general bug
Milestone
6.3.9
@sjohnr

Description

@sjohnr
sjohnr
opened on Nov 4, 2024

ServerBearerTokenAuthenticationConverter validates the query parameter access_token when allowUriQueryParameter is false. The spec states that

Resource servers MAY support this method.

for query string parameters, but does not indicate in the Error Codes section that the access_token parameter MUST be validated if the server doesn't support that particular method for resolving the token.

Note: This also applies to DefaultBearerTokenResolver, and includes when allowFormEncodedBodyParameter is set to false.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: duplicateA duplicate of another issuetype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions