Userinfo Error Response by Google not correctly parsed
Issue #197
resolved
Hi there,
we experienced the following behavior with your library: When sending a userinfo request to the Google userinfo endpoint (https://www.googleapis.com/oauth2/v3/userinfo) with an invalid token, the WWWAuthenticate Http header field is set to the following value by Google:
Bearer realm="https://acounts.google.com/", error=invalid_token
However your regex in BearerTokenError.java, line 125 in release 5.17.2 matches the following pattern:
/**
* Regex pattern for matching the error parameter of a WWW-Authenticate
* header.
*/
private static final Pattern errorPattern = Pattern.compile("error=\"([^\"]+)");
So the error code value returned by Google doesn't match (because of missing quotes) and therefore the errorCode field of the BearerTokenError returned by BearerTokenError#parse is null.
We didn't find any detailed information on whether quotes must be used or not. The only information we found was an RFC draft (https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-15#section-3), but the relevant part is not present in the final version (https://tools.ietf.org/html/rfc6750#section-3).
According to our interpretation, the response sent from Google without quotes does not correspond to the example in https://tools.ietf.org/html/rfc6750#section-3, but is also not explicitly wrong.
How would you see that? Should the regex in BearerTokenError.java be relaxed to also match the response from Google?
Comments (5)
-
-
- changed status to open
-
Unquoted values seem to be permitted in some cases - https://www.ietf.org/rfc/rfc2617.txt (WWW auth RFC)
-
- changed status to resolved
Fixed regex in commit 38fdde1.
-
Check out Maven Central for new v5.17.3 in a few hours or so.
- Log in to comment
Hi,
We'll relax the regex a bit, but will also check with the RFCs and OAuth WG no how the quoting.
You're not getting any error_description back, right?