Skip to content

Allow client registration from issuer uri with no authorize_endpoint #9795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sclorng opened this issue May 25, 2021 · 1 comment · Fixed by #9931
Closed

Allow client registration from issuer uri with no authorize_endpoint #9795

sclorng opened this issue May 25, 2021 · 1 comment · Fixed by #9931
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone

Comments

@sclorng
Copy link

sclorng commented May 25, 2021

Describe the bug
https://datatracker.ietf.org/doc/html/rfc8414#section-2 states that authorize_endpoint is required unless no grant type requires it. Authorization Server with no support for authorization code grant type may not expose this endpoint in its metadata.

ClientRegistrations.withProviderConfiguration assume that metadata.getAuthorizationEndpointURI() cannot be null. When this is the case, it will throw a java.lang.NullPointerException line 259 .authorizationUri(metadata.getAuthorizationEndpointURI().toASCIIString()).

To Reproduce
Use an AS with no authorization_endpoint

Expected behavior
Should not throw an exception until the endpoint is actually used or only if the client grant type requires this endpoint.

@sclorng sclorng added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 25, 2021
@sjohnr sjohnr added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 25, 2021
@sjohnr sjohnr self-assigned this May 25, 2021
@jgrandja
Copy link
Contributor

Thanks for the report @scrocquesel. We'll look into this.

In the meantime, you could workaround this by not configuring the issuer-uri property and instead explicitly configuring all the required ClientRegistration properties.

@jgrandja jgrandja added this to the 5.5.1 milestone May 28, 2021
sjohnr pushed a commit to sjohnr/spring-security that referenced this issue Jun 15, 2021
sjohnr pushed a commit to sjohnr/spring-security that referenced this issue Jun 16, 2021
@sjohnr sjohnr modified the milestones: 5.5.1, 5.6.0-M1 Jun 16, 2021
sjohnr pushed a commit that referenced this issue Jun 16, 2021
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.5.x labels Jun 16, 2021
sjohnr pushed a commit that referenced this issue Jun 16, 2021
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants