Skip to content

Not all OAuth2 ClientAuthenticationMethods are supported in Jackson2 converters #16825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mapsu opened this issue Mar 26, 2025 · 1 comment · Fixed by #16826
Closed

Not all OAuth2 ClientAuthenticationMethods are supported in Jackson2 converters #16825

mapsu opened this issue Mar 26, 2025 · 1 comment · Fixed by #16826
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug

Comments

@mapsu
Copy link
Contributor

mapsu commented Mar 26, 2025

Describe the bug
StdConverters do not support all available OAuth2 ClientAuthenticationMethods
https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java#L48-L65

For example ClientAuthenticationMethod.PRIVATE_KEY_JWT authentication method is missing from mapping.
In case private_key_jwt is used for client authentication and authorized clients are stored in Redis then when loading and deserializing ClientRegistration from json the clientAuthenticationMethod is not correctly converted and then later defaulted to incorrect value.

Precondition

  • Project using Spring Security configured to store session data to Redis
    • Use org.springframework.session:spring-session-data-redis library to achieve this
  • Store OAuth2 authorised clients to Http Session instead of InMemory
    • Configure OAuth2AuthorizedClientRepository to HttpSessionOAuth2AuthorizedClientRepository

To Reproduce

  • Authenticate with a user
    • The authorized client is stored to Redis with client registration details
  • When access token expires and OAuth2AuthorizedManager tries to refresh token then incorrect authentication method is used

Expected behavior
In token refresh, correct authentication method is used.

Sample
I decided to not include a sample this time because it would require setting up redis, e.g. in docker compose, but also authorization server for OAuth2 login.
The bug is quite obvious for me because there's missing ClientAuthenticationMethods missing from converter.

I can create a sample if you deem it's needed.
@mapsu mapsu added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 26, 2025
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
1bf85d1 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
@mapsu mapsu mentioned this issue Mar 26, 2025
Merged
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
0bb8a89 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
42fc2e7 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
a75c0c6 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
jzheaux added a commit that referenced this issue Apr 2, 2025
@jzheaux
Add valueOf
2885b0f 
This commit adds a static factory for returning a constant
ClientAuthenticationMethod or creating a new one when there
is no match.

Issue gh-16825
mapsu added a commit to mapsu/spring-security that referenced this issue Apr 4, 2025
@mapsu
Merge branch 'spring-projects:main' into spring-projectsgh-16825
16db74c
@jzheaux jzheaux closed this as completed in 368fe2e Apr 9, 2025
@jzheaux jzheaux self-assigned this Apr 21, 2025
@jzheaux jzheaux added status: duplicate A duplicate of another issue in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 21, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Apr 21, 2025

Closed in favor of #16826

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
2 participants
@mapsu @jzheaux