Skip to content

Reject client authentication where client_id has non-printable ASCII characters #889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
scottcarter87 opened this issue Sep 12, 2022 · 0 comments
Closed

Reject client authentication where client_id has non-printable ASCII characters #889

scottcarter87 opened this issue Sep 12, 2022 · 0 comments
Assignees
@jgrandja
Labels
type: enhancement A general enhancement
Milestone
0.4.0

Comments

@scottcarter87
Copy link

scottcarter87 commented Sep 12, 2022
edited by jgrandja
Loading

Describe the bug
A request to the token endpoint with a client ID containing non printable ASCII characters such as 0x00 (null), 0x0a (line feed), etc. This results in the AuthenticationProviders passing this value to the repo layer where Postgres (and potentially other data sources) will throw a DataIntegrityViolationException when trying to run a select query that contains a clientId like this.

To Reproduce
Send a post request to the OAuth2 token endpoint with the client ID set to "\0x00" or any other non-printable ASCII character with or without other printable ASCII characters. The request will be passed through to the repo layer and will throw an error.

Expected behavior
Expected behavior is that Spring would reject any clientId containing non-printable ASCII characters as either a bad request or unauthorized without ever attempting to lookup the RegisteredClient in the database.

Sample

    @DataProvider
    private Object[][] invalidClientIds() {
        return new Object[][] {
                // Null in hex
                { "\0x00" },

                // Line feed in hex
                { "\0x0a" },

                // Escape in hex
                { "\0x1b" },

                // Mix of printable and non-printable ASCII characters (escape character + 'a')
                { "\0x1b\0x61" },
        };
    }

    @Test(dataProvider = "invalidClientIds")
    public void postForAccessTokenWithNonPrintableAsciiCharacters(final String clientId) throws Exception {
        getMockMvc().perform(post(OAuth2.TOKEN_ROOT)
                        .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE)
                        .param(OAuth2Constants.Parameters.GRANT_TYPE, AuthorizedGrantType.CLIENT_CREDENTIALS.getValue())
                        .param(OAuth2Constants.Parameters.CLIENT_ID, clientId)
                        .param(OAuth2Constants.Parameters.CLIENT_SECRET, ServiceAccount.CLIENT_SECRET))
                .andExpect(status().isUnauthorized());
    }

    @Test(dataProvider = "invalidClientIds")
    public void postForAccessTokenBasicAuthWithNonPrintableAsciiCharacters(final String clientId) throws Exception {
        getMockMvc().perform(post(OAuth2.TOKEN_ROOT)
                        .with(httpBasic(clientId, OAuthClientDetailsTestData.ServiceAccount.CLIENT_SECRET))
                        .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE)
                        .param(OAuth2Constants.Parameters.GRANT_TYPE, AuthorizedGrantType.CLIENT_CREDENTIALS.getValue()))
                .andExpect(status().isUnauthorized());
    }
@scottcarter87 scottcarter87 added the type: bug A general bug label Sep 12, 2022
@jgrandja jgrandja changed the title Spring allows clientIds with non-printable ASCII characters to pass through to the repository layer clientIds with non-printable ASCII characters pass through to the repository layer Sep 12, 2022
@jgrandja jgrandja added type: enhancement A general enhancement and removed type: bug A general bug labels Sep 13, 2022
@jgrandja jgrandja changed the title clientIds with non-printable ASCII characters pass through to the repository layer Consider rejecting client authentication where clientId has non-printable ASCII characters Sep 13, 2022
@jgrandja jgrandja self-assigned this Nov 18, 2022
@jgrandja jgrandja added this to the 0.4.0 milestone Nov 18, 2022
@jgrandja jgrandja changed the title Consider rejecting client authentication where clientId has non-printable ASCII characters Reject client authentication where client_id has non-printable ASCII characters Nov 18, 2022
jgrandja added a commit that referenced this issue Nov 18, 2022
@jgrandja
client_id authentication parameter must have printable ASCII characters
8ed0194 
Closes gh-889
doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@jgrandja
client_id authentication parameter must have printable ASCII characters
9766d97 
Closes spring-projectsgh-889
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
0.4.0
Development

No branches or pull requests
2 participants
@scottcarter87 @jgrandja