Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not all OAuth2 ClientAuthenticationMethods are supported in Jackson2 converters #16825

Open
mapsu opened this issue Mar 26, 2025 · 0 comments · May be fixed by #16826
Open

Not all OAuth2 ClientAuthenticationMethods are supported in Jackson2 converters #16825

mapsu opened this issue Mar 26, 2025 · 0 comments · May be fixed by #16826
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@mapsu
Copy link

mapsu commented Mar 26, 2025

Describe the bug
StdConverters do not support all available OAuth2 ClientAuthenticationMethods
https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java#L48-L65

For example ClientAuthenticationMethod.PRIVATE_KEY_JWT authentication method is missing from mapping.
In case private_key_jwt is used for client authentication and authorized clients are stored in Redis then when loading and deserializing ClientRegistration from json the clientAuthenticationMethod is not correctly converted and then later defaulted to incorrect value.

Precondition

  • Project using Spring Security configured to store session data to Redis
    • Use org.springframework.session:spring-session-data-redis library to achieve this
  • Store OAuth2 authorised clients to Http Session instead of InMemory
    • Configure OAuth2AuthorizedClientRepository to HttpSessionOAuth2AuthorizedClientRepository

To Reproduce

  • Authenticate with a user
    • The authorized client is stored to Redis with client registration details
  • When access token expires and OAuth2AuthorizedManager tries to refresh token then incorrect authentication method is used

Expected behavior
In token refresh, correct authentication method is used.

Sample
I decided to not include a sample this time because it would require setting up redis, e.g. in docker compose, but also authorization server for OAuth2 login.
The bug is quite obvious for me because there's missing ClientAuthenticationMethods missing from converter.

I can create a sample if you deem it's needed.
@mapsu mapsu added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Mar 26, 2025
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
1bf85d1 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
@mapsu mapsu linked a pull request Mar 26, 2025 that will close this issue
Open
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
0bb8a89 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
42fc2e7 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
mapsu added a commit to mapsu/spring-security that referenced this issue Mar 26, 2025
@mapsu
Add missing ClientAuthenticationMethods to jackson2 converter
a75c0c6 
Closes spring-projectsgh-16825

Signed-off-by: Risto Virtanen <[email protected]>
jzheaux added a commit that referenced this issue Apr 2, 2025
@jzheaux
Add valueOf
2885b0f 
This commit adds a static factory for returning a constant
ClientAuthenticationMethod or creating a new one when there
is no match.

Issue gh-16825
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
1 participant
@mapsu