Skip to content

Allow client registration from issuer uri with no authorize_endpoint #9795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sclorng opened this issue May 25, 2021 · 1 comment · Fixed by #9931
Closed

Allow client registration from issuer uri with no authorize_endpoint #9795

sclorng opened this issue May 25, 2021 · 1 comment · Fixed by #9931
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.6.0-M1

Comments

@sclorng
Copy link

sclorng commented May 25, 2021
edited
Loading

Describe the bug
https://datatracker.ietf.org/doc/html/rfc8414#section-2 states that authorize_endpoint is required unless no grant type requires it. Authorization Server with no support for authorization code grant type may not expose this endpoint in its metadata.

ClientRegistrations.withProviderConfiguration assume that metadata.getAuthorizationEndpointURI() cannot be null. When this is the case, it will throw a java.lang.NullPointerException line 259 .authorizationUri(metadata.getAuthorizationEndpointURI().toASCIIString()).

To Reproduce
Use an AS with no authorization_endpoint

Expected behavior
Should not throw an exception until the endpoint is actually used or only if the client grant type requires this endpoint.
@sclorng sclorng added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 25, 2021
@sjohnr sjohnr added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 25, 2021
@sjohnr sjohnr self-assigned this May 25, 2021
@jgrandja
Copy link
Contributor

Thanks for the report @scrocquesel. We'll look into this.

In the meantime, you could workaround this by not configuring the issuer-uri property and instead explicitly configuring all the required ClientRegistration properties.

@jgrandja jgrandja mentioned this issue May 26, 2021
Closed
@jgrandja jgrandja added this to the 5.5.1 milestone May 28, 2021
sjohnr pushed a commit to sjohnr/spring-security that referenced this issue Jun 15, 2021
Support grant types other than authorization_code
7d83dda 
Closes spring-projectsgh-9795
@sjohnr sjohnr mentioned this issue Jun 15, 2021
Closed
sjohnr pushed a commit to sjohnr/spring-security that referenced this issue Jun 16, 2021
Handle missing authorization endpoint uri
347d86c 
Closes spring-projectsgh-9795
@sjohnr sjohnr mentioned this issue Jun 16, 2021
Merged
@sjohnr sjohnr modified the milestones: 5.5.1, 5.6.0-M1 Jun 16, 2021
sjohnr pushed a commit that referenced this issue Jun 16, 2021
@sjohnr
Handle missing authorization endpoint uri
0cba087 
Closes gh-9795
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.5.x labels Jun 16, 2021
Closed
sjohnr pushed a commit that referenced this issue Jun 16, 2021
Handle missing authorization endpoint uri
9daf058 
Closes gh-9795
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
Handle missing authorization endpoint uri
bdd2391 
Closes spring-projectsgh-9795
@strowk strowk mentioned this issue Feb 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.6.0-M1
Development

Successfully merging a pull request may close this issue.

Handle missing authorization endpoint uri sjohnr/spring-security
4 participants
@sjohnr @jgrandja @spring-projects-issues @sclorng