Jackson throws IllegalArgumentException when loading OAuth2Authorization from JdbcOAuth2AuthorizationService #457
Description
Describe the bug
After requesting a token with the client_credentials grant type and a scope parameter in the request, received the following error from Jackson when using the /oauth2/introspect endpoint:
java.lang.IllegalArgumentException: The class with java.util.LinkedHashSet and name of java.util.LinkedHashSet is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.parseMap(JdbcOAuth2AuthorizationService.java:441) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.mapRow(JdbcOAuth2AuthorizationService.java:337) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.mapRow(JdbcOAuth2AuthorizationService.java:308) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:94) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:61) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:723) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:651) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:713) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:744) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:799) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService.findBy(JdbcOAuth2AuthorizationService.java:257) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService.findByToken(JdbcOAuth2AuthorizationService.java:238) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationProvider.authenticate(OAuth2TokenIntrospectionAuthenticationProvider.java:76) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.5.1.jar:5.5.1]
at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter.doFilterInternal(OAuth2TokenIntrospectionEndpointFilter.java:113) ~[spring-security-oauth2-authorization-server-0.2.0.jar:0.2.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar:5.3.9]
To Reproduce
- Register
@BeanJdbcOAuth2AuthorizationService - Obtain token using
client_credentialsgrant with ascopeparameter provided in the request (e.g.http -a messaging-client:secret -f POST :9000/oauth2/token grant_type=client_credentials scope=message.read) - Introspect the token (e.g.
http -a messaging-client:secret -f POST :9000/oauth2/introspect token=...)
Expected behavior
Token introspection (or any operation that looks up the OAuth2Authorization) should succeed.
Sample
Can be reproduced using the authorizationserver sample in this repo.