- changed status to open
TokenIntrospectionSuccessResponse should support parsing scopes presented as JSONArray
Summary
In the NimbusOpaqueTokenIntrospector#convertClaimsSet step, it first creates the claims variable by parsing the response using the toJSONObject method_. If the response has a “scope” field with an array of _Strings, it gets mapped to a JSONArray then.
Afterwards, it calls TokenIntrospectionSuccessResponse#getScope method, which first parses the "scope" param value as a String and then to a Parse object.
If we have a “scope” param with a JSONArray instance value, then the first parsing process fails (since it’s not a String), and the 'scope' claim receives a null value.
Actual Behavior
The TokenIntrospectionSuccessResponse can’t parse the scope param when it is a JSONArray object.
Expected Behavior
The TokenIntrospectionSuccessResponse can’t parse the scope param either if it is a String or a JSONArray object.
Comments (3)
-
-
reporter Sorry Yavor, I first thought that was part of this library too, because of its name.
The NimbusOpaqueTokenIntrospector is a Spring Security class (particularly, it is part of the spring-security-oauth2-resource-server artifact) that uses classes from this library:
I also created an issue in the Spring Security repo (#7563), and they made me realize that the specs actually dictate that
scope
is expected to be a space-delimited string (here).So, I think the bottom line here is “we’re ok, we’re respecting the specifications, but do we want to also support the ‘scope’ value as an array of strings?” (of course, we’re separating the scopes anyway at some point, so receiving it as an array at the beginning of the process might not be that bad IMO)
-
- changed status to invalid
According to the token introspection RFC, the scope is a space separated string:
https://tools.ietf.org/html/rfc7662#section-2.2
The Scope class has helper methods to get the individual values:
https://www.javadoc.io/doc/com.nimbusds/oauth2-oidc-sdk/6.17/com/nimbusds/oauth2/sdk/Scope.html
- Log in to comment
Hi Gerardo!
Where does this code come fron
NimbusOpaqueTokenIntrospector#convertClaimsSet
?It's not part of this SDK.