ServerBearerTokenAuthenticationConverter does not support form encoded body parameter #15818
Assignees
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: waiting-for-triage
An issue we've not yet triaged
type: enhancement
A general enhancement
Comments
jonah1und1
added
status: waiting-for-triage
sjohnr
added
in: oauth2
|
Any updates on this? |
|
@jonah1und1 thanks for checking. We are working on a few high priority items for the release and then I will be reviewing your PR. If you would like to get a head start, please check the PR for modern java features from Java 11+ and switch back to corresponding Java 8 features. We are not yet ready to update most of the source code to Java 17 features because we are following Spring Framework's lead on which language features we are using. |
|
@sjohnr Thank you. I will do that. |
jonah1und1
added a commit
to jonah1und1/spring-security
that referenced
this issue
Oct 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When using opaque tokens with an OAuth 2 resource server, webflux's
ServerBearerTokenAuthenticationConverterdoes not support authentication via url-encoded POST requests with their access token as a body parameter.RFC-6750 Sec. 2.2 describes this behaviour and it is supported by
DefaultBearerTokenResolverin mvc.To Reproduce
Create a POST endpoint for which authentication with an OAuth 2 resource server with an opaque token is needed. Doing so with the reactive stack does not allow for authentication via a body parameter.
Expected behavior
Providing a body parameter with a valid access token named
access_tokenshould authenticate the request.Sample
A sample project with designated test cases for the mvc and reactive stack can be found here:
https://github.com/jonah1und1/spring-security-rfc6750-2.2
The text was updated successfully, but these errors were encountered: