Uploaded image for project: 'Single Sign On'
  1. Single Sign On
  2. MGNLSSO-296

Token Introspection Failure results in 500 Error Response

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • High
    • None
    • 3.1.1
    • None
    • None
    • Magnolia Version: 6.2.27
      magnolia-sso version: 3.1.1 (Due to requirement of magnolia version >6.3.x on later versions, I think this bug applies on the later versions as well)

    Description

      Steps to reproduce

      1. Setup SSO under /.rest path using a valid http.bearer client as described on the docs
      2. Set http.bearer.authenticator to token-introspection
      3. Use an invalid OAuth token in your request (invalid/expired)
      4. Observe response 500 - Internal Server Error instead of 401 - Unauthorized

      Expected results

      When using an invalid or expired token we expect an Unauthorized HTTP response.

      Actual results

      Instead an Internal Server Error Occurs with the following stack trace:

      21-Jun-2023 16:39:15.941 SEVERE [http-nio-8080-exec-7] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception
          org.pac4j.core.exception.TechnicalException: Client credentials authentication failed. Reason: Invalid / expired access token
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
              at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
              at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
              at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
              at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1789)
              at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
              at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
              at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.base/java.lang.Thread.run(Thread.java:834) 

      Workaround

      I haven't been able to find any workaround for this.

      Development notes

      An org.pac4j.core.exception.TechnicalException is thrown on inactive/invalid Bearer token from TokenIntrospectionAuthenticator. This exception is propagated to org.pac4j.core.engine.DefaultSecurityLogic which then wraps that exception as RuntimeException resulting in incorrect HTTP Response Status.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              efochr Evzen Fochr
              tkoktsidis Theocharis Koktsidis
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Work Started:

                Checklists

                  Bug DoR
                  Task DoD