1

I'm using the Spring Boot OAuth Resource Server (JOSE) in order to validate the JWT from Auth0. The flow is running fine except when I check the audience claim from JWT, if it's fail the 401 response status is return, but the message body is empty.

I customised the exceptionHandling to send a message body and it works fine using authenticationEntryPoint and accessDeniedHandler, but these handlings were not trigged for OAuth2TokenValidator.

I just want to receive the 401 and my customized message body for 401 when the audience validation error occurs.

Here is the code that I used:

public static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
    private Logger logger = LoggerFactory.getLogger(AudienceValidator.class);
    private final String audience;
    OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
    public AudienceValidator(String audience) {
        this.audience = audience;
    }    
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        logger.debug("validating audience: " + jwt.getAudience());
        if (jwt.getAudience().contains(audience)) {
            logger.debug("audience success");
            return OAuth2TokenValidatorResult.success();
        } else {
            logger.debug("invalid audience");
            return OAuth2TokenValidatorResult.failure(error);
        }
    }
}

@Override
protected void configure(HttpSecurity http) throws Exception {  
        http
        .cors().and()
            .oauth2ResourceServer(oauth2 -> oauth2
                    .jwt(jwt -> jwt
                        .jwtAuthenticationConverter(grantedAuthoritiesExtractor())
                    )
                );
        logger.debug("authenticatedOnly:"+authenticatedOnly);
        if (authenticatedOnly) http.authorizeRequests().anyRequest().authenticated();
        else http.authorizeRequests().anyRequest().permitAll();

       http
       .exceptionHandling()
        .authenticationEntryPoint((request, response, e) -> {
            response.setStatus(HttpStatus.UNAUTHORIZED.value());
            response.setContentType("application/json");
            response.getWriter().write("{\"status\":401,\"error\":\"You are not authenticated.\",\"message\":\"\"}");
        })
        .accessDeniedHandler((request, response, e) -> {
            response.setStatus(HttpStatus.FORBIDDEN.value());
            response.setContentType("application/json");
            response.getWriter().write("{\"status\":403,\"error\":\"You are not authorized.\",\"message\":\"\"}");
        })
        ;
}
Marcelo Eliseu
  • 11
  • 1

0 Answers0