OAuth2AuthorizationCodeRequestAuthenticationValidator.validateRedirectUri throws OAuth2AuthorizationCodeRequestAuthenticationToken when an invalid redirect_uri is used during the authorization request.
|
if (!validRedirectUri) { |
|
throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI, |
|
authorizationCodeRequestAuthentication, registeredClient); |
|
} |
Additionally, OAuth2AuthorizationCodeRequestAuthenticationValidator.validateScope throws the same when an invalid scope is used.
|
if (!requestedScopes.isEmpty() && !allowedScopes.containsAll(requestedScopes)) { |
|
throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE, |
|
authorizationCodeRequestAuthentication, registeredClient); |
|
} |
We should consider adding a log entry at DEBUG level in OAuth2AuthorizationCodeRequestAuthenticationValidator for each of these cases. This would allow the logging level to be tuned specifically for this logging. If a user customizes the authentication validators e.g. to add custom redirect uri validation, they would be responsible for their own logging.
OAuth2AuthorizationCodeRequestAuthenticationValidator.validateRedirectUrithrowsOAuth2AuthorizationCodeRequestAuthenticationTokenwhen an invalidredirect_uriis used during the authorization request.spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java
Lines 126 to 129 in 27a893f
Additionally,
OAuth2AuthorizationCodeRequestAuthenticationValidator.validateScopethrows the same when an invalidscopeis used.spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java
Lines 78 to 81 in 27a893f
We should consider adding a log entry at DEBUG level in
OAuth2AuthorizationCodeRequestAuthenticationValidatorfor each of these cases. This would allow the logging level to be tuned specifically for this logging. If a user customizes the authentication validators e.g. to add custom redirect uri validation, they would be responsible for their own logging.