Skip to content

Consider logging invalid redirect_uri and scope #1245

New issue
New issue
Closed
Closed
Consider logging invalid redirect_uri and scope#1245
Assignees
sjohnr
Labels
type: enhancementA general enhancement
Milestone
1.2.0-M1
@sjohnr

Description

@sjohnr
sjohnr
opened on May 30, 2023

OAuth2AuthorizationCodeRequestAuthenticationValidator.validateRedirectUri throws OAuth2AuthorizationCodeRequestAuthenticationToken when an invalid redirect_uri is used during the authorization request.

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java

Lines 126 to 129 in 27a893f

if (!validRedirectUri) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI,
authorizationCodeRequestAuthentication, registeredClient);
}

Additionally, OAuth2AuthorizationCodeRequestAuthenticationValidator.validateScope throws the same when an invalid scope is used.

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java

Lines 78 to 81 in 27a893f

if (!requestedScopes.isEmpty() && !allowedScopes.containsAll(requestedScopes)) {
throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE,
authorizationCodeRequestAuthentication, registeredClient);
}

We should consider adding a log entry at DEBUG level in OAuth2AuthorizationCodeRequestAuthenticationValidator for each of these cases. This would allow the logging level to be tuned specifically for this logging. If a user customizes the authentication validators e.g. to add custom redirect uri validation, they would be responsible for their own logging.

Metadata

Metadata

Assignees

Labels

type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions