Closed
Description
Summary
When using ServerBearerTokenAuthenticationConverter with setAllowUriQueryParameter(true) then there is a possibility that the web server will return a HTTP 500 when the query parameter is not filled in. E.g: /hello?access_token=
Edit: This problem potentially also affects DefaultBearerTokenResolver
Actual Behavior
ServerBearerTokenAuthenticationConverter.convert method throws a IllegalArgumentException due to the string being passed to BearerTokenAuthenticationToken::new being empty.
Expected Behavior
The expected behaviour should be that the query parameter is validated in the ServerBearerTokenAuthenticationConverter.token method and a OAuth2AuthenticationException is thrown.
The validation should be similar/same as if the token was being provided from HTTP Header.
Version
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-webflux', version: '2.1.5.RELEASE'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: '2.1.5.RELEASE'
implementation group: 'org.springframework.security', name: 'spring-security-oauth2-resource-server', version: '5.1.5.RELEASE'
implementation group: 'org.springframework.security', name: 'spring-security-oauth2-jose', version: '5.1.5.RELEASE'