Bearer access token invalid error message

Issue #276 resolved
Gencer Nayki created an issue

Parse method of BearerAccessToken class throws a parse exception if the authorization header is not valid. Valid characters for error responses are defined in the following spec. Double quote character (“) is not a valid character according to the spec. But the following messages are returned in case of an error.

  • "Token type must be \"Bearer\"
  • "Invalid \"expires_in\" parameter, must be integer"

Spec Ref: https://tools.ietf.org/html/rfc6750#section-3

Spec:

Values for the "error" and "error_description"
   attributes (specified in Appendixes A.7 and A.8 of [RFC6749]) MUST
   NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

Since the parse exception message is used for returning the error response to an API user, this causes a compatibility problem with the spec.

UserInfoErrorResponse object is used to return an error response, and it expects an ErrorObject. If the error message is used as a description in the error object, it throws an IlegalArgumentException because of the spec incompatibility. BearerTokenError.isDescriptionWithValidChars validates this rule.

PS: oauth2-oidc-sdk-6.14.jar → com.nimbusds.oauth2.sdk.*

Comments (8)

  1. Yavor Vasilev

    Please check out the new version, it was just pushed to Maven Central:

    version 6.16.3 (2019-10-21)
        * Bumps Nimbus JOSE+JWT to min 8.2 to support ID token "typ" validation
          (iss #275).
        * Fixes BearerAccessToken.parse to not throw ParseException instances with
          messages which include illegal characters according to RFC 6750, section
          3 (iss #276).
    

  2. Gencer Nayki reporter
    • changed status to open

    I am very appreciated of the quick fix. But BearerAccessToken class has still one more invalid error message. BearerAccessToken class at line 259 in tag version 6.16.4 still includes the following invalid error message. "Token type must be \"Bearer\""

  3. Log in to comment