1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

OAuth 2 library does not handle null client_secret values

Issue #141 resolved
Hank DeDona created an issue

The google OAuth 2 playground [1] passes in null values for client_secret and scope for all token POSTs even if we aren't doing Client Authentication at which point the secret.java class on line 70 throws an IllegalArgumentException. At the very least, the library should ignore keys with null values or throw a ParseException that can be caught. I have attached the relevant stack trace:

java.lang.IllegalArgumentException: The value must not be null or empty string at com.nimbusds.oauth2.sdk.auth.Secret.<init>(Secret.java:70) ~[oauth2-oidc-sdk-4.13.jar:na] at com.nimbusds.oauth2.sdk.auth.Secret.<init>(Secret.java:56) ~[oauth2-oidc-sdk-4.13.jar:na] at com.nimbusds.oauth2.sdk.auth.ClientSecretPost.parse(ClientSecretPost.java:145) ~[oauth2-oidc-sdk-4.13.jar:na] at com.nimbusds.oauth2.sdk.auth.ClientSecretPost.parse(ClientSecretPost.java:194) ~[oauth2-oidc-sdk-4.13.jar:na] at com.nimbusds.oauth2.sdk.auth.ClientAuthentication.parse(ClientAuthentication.java:121) ~[oauth2-oidc-sdk-4.13.jar:na] at com.nimbusds.oauth2.sdk.TokenRequest.parse(TokenRequest.java:335) ~[oauth2-oidc-sdk-4.13.jar:4.13]

[1] https://developers.google.com/oauthplayground/

Comments (10)

  3. Connect2id OSS

    @icon5585 : Hi Hank,

    Could you please post a copy of the token request that causes the exception with the Google OAuth 2.0 playground? We want to have a concrete test case for this before proceeding. We were not able to get the OAuth playground produce a null client_secret (with form POST client authentication).

  4. Hank DeDona reporter

    We were using server-side oauth flow and didn't provide any values for the client secret.

  6. Connect2id OSS

    Thanks for getting back.

    authorize?response_type=code&client_id=google&scope=&client_secret=

    I'm a bit confused. The above seems to be a authorisation request, not a token request.

    We pushed a commit (see 8697977) that should fix null client_secret values, but before we close the issue we want to make sure we have the original test case for that (you can edit out any sensitive params of course).

  7. Hank DeDona reporter

    My apologies, you are correct. Here's the token request from the google oauth playground directly:

    code=0a2b49a9-985d-47cb-b36f-be9ed4927b4c&redirect_uri=https%3A%2F%2Fdevelopers.google.com%2Foauthplayground&client_id=google&client_secret=&scope=&grant_type=authorization_code

  8. Connect2id OSS

    Released fix as OIDC SDK v4.14.3, should reach Maven Central later today.

    Thanks for contributing and happy coding!

  11. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Milestone
Votes
1
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!