Details
-
Bug
-
Resolution: Unresolved
-
High
-
None
-
3.1.1
-
None
-
None
-
Magnolia Version: 6.2.27
magnolia-sso version: 3.1.1 (Due to requirement of magnolia version >6.3.x on later versions, I think this bug applies on the later versions as well)
Description
Steps to reproduce
- Setup SSO under /.rest path using a valid http.bearer client as described on the docs
- Set http.bearer.authenticator to token-introspection
- Use an invalid OAuth token in your request (invalid/expired)
- Observe response 500 - Internal Server Error instead of 401 - Unauthorized
Expected results
When using an invalid or expired token we expect an Unauthorized HTTP response.
Actual results
Instead an Internal Server Error Occurs with the following stack trace:
21-Jun-2023 16:39:15.941 SEVERE [http-nio-8080-exec-7] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception org.pac4j.core.exception.TechnicalException: Client credentials authentication failed. Reason: Invalid / expired access token at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1789) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)
Workaround
I haven't been able to find any workaround for this.
Development notes
An org.pac4j.core.exception.TechnicalException is thrown on inactive/invalid Bearer token from TokenIntrospectionAuthenticator. This exception is propagated to org.pac4j.core.engine.DefaultSecurityLogic which then wraps that exception as RuntimeException resulting in incorrect HTTP Response Status.
Checklists
Acceptance criteria