- changed title to Bearer access token invalid error message
Bearer access token invalid error message
Parse method of BearerAccessToken class throws a parse exception if the authorization header is not valid. Valid characters for error responses are defined in the following spec. Double quote character (“) is not a valid character according to the spec. But the following messages are returned in case of an error.
"Token type must be \"Bearer\"
"Invalid \"expires_in\" parameter, must be integer"
Spec Ref: https://tools.ietf.org/html/rfc6750#section-3
Spec:
Values for the "error" and "error_description"
attributes (specified in Appendixes A.7 and A.8 of [RFC6749]) MUST
NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
Since the parse exception message is used for returning the error response to an API user, this causes a compatibility problem with the spec.
UserInfoErrorResponse
object is used to return an error response, and it expects an ErrorObject. If the error message is used as a description in the error object, it throws an IlegalArgumentException because of the spec incompatibility. BearerTokenError
.isDescriptionWithValidChars
validates this rule.
PS: oauth2-oidc-sdk-6.14.jar → com.nimbusds.oauth2.sdk.*
Comments (8)
-
reporter -
reporter - edited description
-
- changed status to open
Thanks for the report, we'll fix that
-
- changed status to resolved
Fixed: 81bb6f9f
-
Please check out the new version, it was just pushed to Maven Central:
version 6.16.3 (2019-10-21) * Bumps Nimbus JOSE+JWT to min 8.2 to support ID token "typ" validation (iss #275). * Fixes BearerAccessToken.parse to not throw ParseException instances with messages which include illegal characters according to RFC 6750, section 3 (iss #276).
-
reporter - changed status to open
I am very appreciated of the quick fix. But BearerAccessToken class has still one more invalid error message. BearerAccessToken class at line 259 in tag version 6.16.4 still includes the following invalid error message. "Token type must be \"Bearer\""
-
Oh, crap
-
- changed status to resolved
- Log in to comment