Bearer access token invalid error message

Parse method of BearerAccessToken class throws a parse exception if the authorization header is not valid. Valid characters for error responses are defined in the following spec. Double quote character (“) is not a valid character according to the spec. But the following messages are returned in case of an error.

"Token type must be \"Bearer\"
"Invalid \"expires_in\" parameter, must be integer"

Spec Ref: https://tools.ietf.org/html/rfc6750#section-3

Spec:

Values for the "error" and "error_description"
   attributes (specified in Appendixes A.7 and A.8 of [RFC6749]) MUST
   NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

Since the parse exception message is used for returning the error response to an API user, this causes a compatibility problem with the spec.

UserInfoErrorResponse object is used to return an error response, and it expects an ErrorObject. If the error message is used as a description in the error object, it throws an IlegalArgumentException because of the spec incompatibility. BearerTokenError.isDescriptionWithValidChars validates this rule.

PS: oauth2-oidc-sdk-6.14.jar → com.nimbusds.oauth2.sdk.*

Comments (8)