1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

HTTPRequest.getQuery() should take into account the PUT method to return the body not only POST

Issue #511 resolved
D Laurent created an issue

Hello,

We recently migrated a project using SDK version 9 to version 11 (where the method is deprected) and the project failed with the following exception:

Caused by: com.nimbusds.oauth2.sdk.ParseException: Invalid JSON
                at com.nimbusds.oauth2.sdk.util.JSONUtils.parseJSON(JSONUtils.java:56)
                at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.parse(JSONObjectUtils.java:77)
                at com.nimbusds.oauth2.sdk.http.HTTPRequest.getQueryAsJSONObject(HTTPRequest.java:606)


Caused by: net.minidev.json.parser.ParseException: Unexpected token client_id=<XXX-YYY-ZZZ> at position 121.
                at net.minidev.json.parser.JSONParserBase.readFirst(JSONParserBase.java:439)
                at net.minidev.json.parser.JSONParserBase.parse(JSONParserBase.java:218)
                at net.minidev.json.parser.JSONParserString.parse(JSONParserString.java:58)
                at net.minidev.json.parser.JSONParserString.parse(JSONParserString.java:39)
                at net.minidev.json.parser.JSONParser.parse(JSONParser.java:277)
                at com.nimbusds.oauth2.sdk.util.JSONUtils.parseJSON(JSONUtils.java:54)

The code impacted was

OIDCClientUpdateRequest updateRequest =
        new OIDCClientUpdateRequest(registrationClientUri, clientId, registrationAccessToken, clientMetadata,
                                    clientSecret);
HTTPRequest nimbusRequest = updateRequest.toHTTPRequest();
JSONObject queryAsJSONObject = nimbusRequest.getQueryAsJSONObject();

and the issue comes from the heuristics in the newly-deprecated getQuery() method:

@Deprecated
public String getQuery() {

    // Heuristics for deprecated API
    return Method.POST.equals(getMethod()) ? getBody() : getURL().getQuery();
}

Our code is easy to fix, it’s merely to switch from

request.getQueryAsJSONObject() to request.getBodyAsJSONObject().

We have also seen that com.nimbusds.oauth2.sdk.http.HTTPRequest#getQuery has been deprecated in 11.

However, until the method is removed, the heuristics could be improved so that the library has better backward-compatibility by also returning the body in case of an HTTP PUT method as is used in the OIDCClientUpdateRequest.

The improved getQuery() would be:

@Deprecated
public String getQuery() {

    // Heuristics for deprecated API
    return (Method.POST.equals(getMethod()) || Method.PUT.equals(getMethod())) ? getBody() : getURL().getQuery();
}

Best regards,

Dominique

Comments (2)

  3. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!