Support JwtValidationException on JwtReactiveAuthenticationManager

[botcoder]

Summary

JwtReactiveAuthenticationManager returns a BearerTokenError, regardless of the OAuth2Error returned by a JwtValidationException.

Actual Behavior

private OAuth2AuthenticationException onError(JwtException e) {
	OAuth2Error invalidRequest = invalidToken(e.getMessage());
	return new OAuth2AuthenticationException(invalidRequest, e.getMessage());
}

Expected Behavior

line 78:
OAuth2Error invalidRequest = e instanceof JwtValidationException ? ((JwtValidationException) e).getErrors().iterator().next() : invalidToken(e.getMessage());

Configuration

Using @EnableWebFluxSecurity and the default ReactiveAuthenticationManager (see sample for details)

Version

spring-security-oauth2-resource-server-5.1.5.RELEASE

Sample

Any application using oauth2resourceserver-webflux default configuration, when receiving an expired JWT, will return a generic BearerTokenError as defined on JwtReactiveAuthenticationManager.

[jzheaux]

@botcoder Good analysis, I agree that this should be improved.

Since there is nothing in the specification that indicates how to handle multiple error messages, and we don't want to lose the other errors if there are multiple, we'd probably want to instead make sure the entire JwtException gets propagated, like it does on the servlet side:

OAuth2Error invalidToken = invalidToken(e.getMessage());
throw new OAuth2AuthenticationException(invalidToken, invalidToken.getDescription(), e);

This way, you can still get access to all the errors when you need them:

http
    .oauth2ResourceServer()
        .authenticationEntryPoint((exchange, ex) -> {
            if (ex.getCause() instanceof JwtValidationException) {
                // render all the errors
            }
        });

Would you be interested in submitting a PR that updates JwtReactiveAuthenticationManager to propagate the entire exception and not just its message?