You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both successful and failed authentication events are published properly when reacitve implementation DefaultReactiveOpenIdTokenResponseValidator is used.
Login failed logic is invoked on authentication failures/validation errors.
Actual Behaviour
Not every authentication failure event is properly published.
Login failed logic can be skipped.
Steps To Reproduce
DefaultOauthController expects a non-empty publisher in callback to handle callback response from oauth client to properly process authentication events and to invoke login failed logic. If no authentication response is obtained, plain HttpResponse.status(HttpStatus.UNAUTHORIZED) is returned skipping event publishing and login failed logic:
However, the reactive implementation returns empty publisher in case of token validation errors. This is because ReactiveJsonWebTokenValidator won't yield a result if the token is invalid. There are several places where this could be a case, for example:
As a consequence, reactive mappings applied on the upstream won't do anything. Eventually empty publisher propagates to the DefaultOauthController#callback which then skips event publishing and login failed logic.
Environment Information
No response
Example Application
No response
Version
4.5.0 (micronaut-security: 4.9.0)
The text was updated successfully, but these errors were encountered:
Expected Behavior
DefaultReactiveOpenIdTokenResponseValidatoris used.Actual Behaviour
Steps To Reproduce
DefaultOauthControllerexpects a non-empty publisher incallbackto handle callback response from oauth client to properly process authentication events and to invoke login failed logic. If no authentication response is obtained, plainHttpResponse.status(HttpStatus.UNAUTHORIZED)is returned skipping event publishing and login failed logic:micronaut-security/security-oauth2/src/main/java/io/micronaut/security/oauth2/routes/DefaultOauthController.java
Line 173 in f3d4a88
However, the reactive implementation returns empty publisher in case of token validation errors. This is because
ReactiveJsonWebTokenValidatorwon't yield a result if the token is invalid. There are several places where this could be a case, for example:micronaut-security/security-oauth2/src/main/java/io/micronaut/security/oauth2/endpoint/token/response/validation/DefaultReactiveOpenIdTokenResponseValidator.java
Line 87 in f3d4a88
micronaut-security/security-jwt/src/main/java/io/micronaut/security/token/jwt/nimbus/NimbusReactiveJsonWebTokenValidator.java
Line 78 in f3d4a88
As a consequence, reactive mappings applied on the upstream won't do anything. Eventually empty publisher propagates to the
DefaultOauthController#callbackwhich then skips event publishing and login failed logic.Environment Information
No response
Example Application
No response
Version
4.5.0 (micronaut-security: 4.9.0)
The text was updated successfully, but these errors were encountered: