Skip to content

Resource Server handles missing/invalid Bearer Token #5125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jgrandja opened this issue Mar 16, 2018 · 1 comment · Fixed by jzheaux/spring-security-oauth2-resource-server#8
Closed

Resource Server handles missing/invalid Bearer Token #5125

jgrandja opened this issue Mar 16, 2018 · 1 comment · Fixed by jzheaux/spring-security-oauth2-resource-server#8
Assignees
@vpavic
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.1.0.M2

Comments

@jgrandja
Copy link
Contributor

This feature implements Section 3 of RFC6750 The WWW-Authenticate Response Header Field .

AuthenticationEntryPoint can be leveraged for the implementation.
@jgrandja jgrandja added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Mar 16, 2018
@jgrandja jgrandja added this to the 5.1.0.M1 milestone Mar 16, 2018
@jgrandja jgrandja changed the title Handle missing/invalid credentials in protected resource request Resource Server handles missing/invalid Bearer Token Mar 16, 2018
@jgrandja
Copy link
Contributor Author

Related #5121

@jgrandja jgrandja modified the milestones: 5.1.0.M1, 5.1.0.M2 Mar 16, 2018
@rwinch rwinch mentioned this issue Mar 16, 2018
Closed
11 tasks
@vpavic vpavic mentioned this issue Mar 20, 2018
Merged
@vpavic vpavic mentioned this issue Mar 27, 2018
Merged
jzheaux added a commit to jzheaux/spring-security-oauth2-resource-server that referenced this issue Apr 17, 2018
@jzheaux
Polish BearerTokenAuthenticationEntryPoint
9e41e64 
There were a couple of comments that were missed in the PR merge,
namely one from @jzheaux regarding setRealmName and one from
@jgrandja regarding OAuth2ParameterNames usage.

Issue spring-projects/spring-security#5125
@jzheaux jzheaux mentioned this issue Apr 17, 2018
Merged
@jgrandja jgrandja reopened this Apr 17, 2018
jzheaux added a commit to jzheaux/spring-security-oauth2-resource-server that referenced this issue Apr 18, 2018
@jzheaux
Polish BearerTokenAuthenticationEntryPoint
ae1efd5 
There were a couple of comments that were missed in the PR merge,
namely one from @jzheaux regarding setRealmName as well as a quick
change to pull WWW-Authenticate from Spring's HttpHeader constant.

Issue spring-projects/spring-security#5125
jzheaux added a commit to jzheaux/spring-security-oauth2-resource-server that referenced this issue Apr 18, 2018
@jzheaux
Polish BearerTokenAuthenticationEntryPoint (#15)
7ca22b2 
There were a couple of comments that were missed in the PR merge,
namely one from @jzheaux regarding setRealmName as well as a quick
change to pull WWW-Authenticate from Spring's HttpHeader constant.

Issue spring-projects/spring-security#5125
jzheaux added a commit to jzheaux/spring-security-oauth2-resource-server that referenced this issue Apr 26, 2018
@jzheaux
ResourceServerConfigurer on Auth0 Sample
6baeccf 
Reconfigured the auth0 sample to use the Resource Server Configurer.

Note that this uncovered a problem with BearerTokenErrorHandler where
is was calling sendError instead of setStatus. The contract of
sendError indicates that it converts the content type to text/html and
allows the container to send an html error response with the given
message.

Calling setStatus seems more apppropriate in our case.

Issue: spring-projects/spring-security#5125
@jzheaux jzheaux mentioned this issue Jul 3, 2018
Closed
jzheaux added a commit to jzheaux/spring-security that referenced this issue Jul 16, 2018
@jzheaux
Resource Server Jwt Support
2b628f6 
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.

High-level features include:

- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set

And:

- A DSL for easy configuration
- A sample to demonstrate usage

Fixes: spring-projectsgh-5128
Fixes: spring-projectsgh-5125
Fixes: spring-projectsgh-5121
Fixes: spring-projectsgh-5130
Fixes: spring-projectsgh-5226
Fixes: spring-projectsgh-5237
@rwinch rwinch closed this as completed in 40ccdb9 Jul 16, 2018
@rwinch rwinch added the type: enhancement A general enhancement label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vpavic vpavic

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.0.M2
Development

Successfully merging a pull request may close this issue.

Implement handling of missing/invalid Bearer Token authentication
3 participants
@rwinch @vpavic @jgrandja