Apr 16th, 2012, 01:59 PM
wrong error for when using a bad client_secret
I believe there is a minor bug with the current snapshot version, here is the scenario:
Request an access token using client_credentials grant_type, using an invalid client secret;
Expected result should be HTTP 401, and error code should be "invalid_client", instead I get
HTTP 401 (which is correct) but error code is "unauthorized". This behavior seam to be introduced when the DefaultWebResponseExceptionTranslator refactor was made.
Here is what happens "internally" in case it helps:
AbstractUserDetailsAuthenticationProvider->authenticate->additionalAuthenticationChecks -> throws BadCredentialsException which is not a OAuth2Exception, but it is an AuthenticationException which gets mapped by the WebResponseExceptionTranslator to "unauthorized".
Should I file a bug for this?
Apr 16th, 2012, 02:48 PM
Yes, please. I think you are fighting with Geerd (http://forum.springsource.org/showth...010#post409010) for the right to deal with that exception. I merged his pull request because it didn't fail any integration tests. Can you come up with a test and a fix that prevents the OAuth2Exception from being thrown too early in the chain?
Apr 17th, 2012, 04:05 AM
Actually, scratch that last comment. If you are trying to get a token with client_credentials you are not hitting a protected resource. It should work as you expect, so raise a JIRA ticket (and a pull request if you have a proposal for fixing it). An integration test would help (in fact I thought there was one).
Apr 17th, 2012, 10:27 AM
Hi, I will file the bug.
Yes, I can came up with the test, it will be after my work hours, so at night PST.
Apr 17th, 2012, 11:49 AM
I added an integration test which passes, so it will be interesting to see what the difference is in your scenario.
Apr 17th, 2012, 03:17 PM
Something Paulo didn't mention was that this works fine if the client credentials are passed in the body of the token request, but fails (as described) if the client credentials are passed in the Authorization header.
Apr 17th, 2012, 03:33 PM
Could you please let me know the test name (Class name and test name), so that I can make the necessary adjustments?
Yes, what Nick said is likely the difference.
Apr 18th, 2012, 04:16 AM
Look at sparklr2: org.springframework.security.oauth2.provider.TestC lientCredentialsProvider.testInvalidCredentials()
Apr 18th, 2012, 01:40 PM
cool, will use the test, make any necessary adjustments and let you know the results as soon I get of some meetings. (ETA 3 hours).