Invalid scope is throwing a strange exception

Issue #386 resolved
Former user created an issue

I am using WebClient to get a token from azure. I started getting back the following error saying there are illegal characters in the description. It looks like this may be coming from the error message and is similar to https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/338/authorizationgrantparse-with-a-map-missing. The actual error was due to an invalid scope.

java.lang.IllegalArgumentException: Illegal char(s) in description, see RFC 6749, section 5.2
    at com.nimbusds.oauth2.sdk.ErrorObject.<init>(ErrorObject.java:152) ~[oauth2-oidc-sdk-9.28.jar:9.28]
    Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Original Stack Trace:
        at com.nimbusds.oauth2.sdk.ErrorObject.<init>(ErrorObject.java:152) ~[oauth2-oidc-sdk-9.28.jar:9.28]
        at com.nimbusds.oauth2.sdk.TokenErrorResponse.parse(TokenErrorResponse.java:220) ~[oauth2-oidc-sdk-9.28.jar:9.28]
        at com.nimbusds.oauth2.sdk.TokenResponse.parse(TokenResponse.java:77) ~[oauth2-oidc-sdk-9.28.jar:9.28]
        at org.springframework.security.oauth2.core.web.reactive.function.OAuth2AccessTokenResponseBodyExtractor.parse(OAuth2AccessTokenResponseBodyExtractor.java:79) ~[spring-security-oauth2-core-5.6.2.jar:5.6.2]
        at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:106) ~[reactor-core-3.4.15.jar:3.4.15]

Comments (5)

  1. Vladimir Dzhuvinov

    My suggestion is to contact them and explain the emitted error description is not compliant with RFC 6749, section 5.2 and cause problems with libraries.

  2. Yavor Vasilev
    • changed status to open

    Will consider adding an ErrorObject.parse method that skips the error_description if illegal chars are found in it.

  3. Christian Ewers

    We ran into the exact same issue. The error messages from azure are actually really helpful, but always contain illegal “\n\r” characters. I don’t think that Microsoft will change their error messages. Perhaps “illegal whitespace characters” could just be replaced with a blank or just omitted?

  4. Log in to comment