User taken to Authentication Entry Point in case of ClientAuthentication Exception

[saamy]

Greetings

In believed that in case of invalid_client (A client_id not supplied.) or redirect_uri_mismatch (Invalid redirect: does not match one of the registered values) or any such Runtime Exceptions, Authorization server should return 400 with error and error_description (as per http://tools.ietf.org/html/draft-iet...-v2-22#page-38). I am implementing an Authorization Server with Spring M6a where case of any such error, ExceptionTranslationFilter takes the user to the Authentication entry point which is a default login screen. Rather I want server to return error response. Is there any configuration I need to do to achieve this?

Thanks for your attention.

Saamy

[Dave Syer]

Did you try the most recent codebase? There were some changes to the exception handling since that release.

[saamy]

Thanks for replying!
I pointed to most recent milestone M6d and this time it gives me 500.

Code:

SEVERE: Servlet.service() for servlet spring threw exception
error="redirect_uri_mismatch", error_description="Invalid redirect: https://somehost/redirecttounknown does not match one of the registered values: [host]"
	at org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver.obtainMatchingRedirect(DefaultRedirectResolver.java:81)
	at org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver.resolveRedirect(DefaultRedirectResolver.java:38)
	at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.resolveRedirectUri(AuthorizationEndpoint.java:196)

[saamy]

I was trying to debug why 500 is thrown in case of RedirectMismatchException instead of 400. In ExceptionTranlationFilter.java line 127

RuntimeException ase = (AuthenticationException)
throwableAnalyzer.getFirstThrowableOfType(Authenti cationException.class, causeChain);

Though RedirectMismatchException is of type AuthenticationException, for some reasons getFirstThrowableOfType() still returns null, because of which it is unable to call handleSpringSecurityException() and finally throws a RuntimeException. I think it may be version mismatch between OAuth M6d and spring security web 3.1.0 that am using.

Screen Shot 2012-06-19 at 20.09.57.jpg
image above might be very small to read but it is nothing but snapshot of debugger point at the same code mentioned above.

[saamy]

OAuth2Exception M6a extends AuthenticationException while AuthenticationException in M6d or latest snapshot doesn't extend AuthenticationException. Am I messing around versions somewhere?

DefaultWebResponseExceptionTranslator is being bypassed which I suppose should have been used to translate OAuth Exception

[Dave Syer]

It is correct that the OAuth2 exceptions no longer extend AuthenticationException (it was that which caused the problem you experienced in M6a). They should be handled by the @ExceptionHandlers in the endpoints, and there are some integration tests in sparkl2 so I think it's working there. Can you verify that, and try and spot the difference with your configuration?

Spring Security 3.1.0 is fine I am sure. But there were changes in exception handling in Spring MVC in 3.1, so make sure you don't have old jars on your classpath - e.g. pin the dependency explicitly if necessary.

[saamy]

Thanks for your reply Dave.

Is oauthAccessDeniedHandler not suppose to handle exceptions? I have applied this filter to incoming requests

<access-denied-handler ref="oauthAccessDeniedHandler"/>

bean definition:

<beans:bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provide r.error.OAuth2AccessDeniedHandler" />

but control never comes to OAuth2AccessDeniedHandler.handle() rather it goes to ExceptionTranslationFilter. That is probably the root cause of this. Is there any configuration am missing here?

[Dave Syer]

but control never comes to OAuth2AccessDeniedHandler.handle() rather it goes to ExceptionTranslationFilter.

It should go to neither (an ACcessDenied handler only handles AccessDeniedExceptions). Maybe you need to build from source (M6d was a while ago).

Is there any configuration am missing here?

I don't know, I haven't seen your config yet.

[saamy]

Got that! I was actually intercepting AuthoriztionEndPoint request and did not specify @ExceptionHandler. Now when I added it comes to DefaultWebResponseExceptionTranslator and is able to translate.

Thanks for your help!

[Dave Syer]

I think in those cases the error is returned as JSON (if the client asks for it). Also that section of the spec is about the error response for a token request, so normally the TokenEndpoint, unless it is an implicit grant. Those two cases have special handlers so they should work as specified. You didn't say in any detail what the request was that you sent, so I don't know if it was one of those two cases.