-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent JwtAuthenticationProvider from setting authentication details when jwtAuthenticationConverter returned an authentication instance with non null details #11823
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ch4mpy! It would be helpful if you could add a test that ensures the provider is not overwriting details.
@sjohnr done |
@sjohnr anything more needed on this PR? |
@ch4mpy, thanks for asking! I don't think so, but I'm heads down on a few other things and will circle back to this a bit later. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ch4mpy, when thinking more about this PR, we will need to make an adjustment. For the 5.8/6.0 releases, we are aiming to provide an upgrade to 5.8 that contains no breaking changes. Anything that breaks passivity would require a configuration option that allows users to opt-in to the change to test their compatibility in 5.8, so that an upgrade to 6.0 (where the change is the default) is seamless.
This change is technically a breaking change, as it would have been possible previously to return a non-null details
which is overridden in the filter and will no longer be. Because the details can be used for things like authorization, we should not include this change in 5.8 without allowing it to be opt-in.
I think the simplest change is to move this PR to be based on 6.0 (main
). Can you make this change? I've also added minor suggestions below.
...pringframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java
Show resolved
Hide resolved
...framework/security/oauth2/server/resource/authentication/JwtAuthenticationProviderTests.java
Show resolved
Hide resolved
Prevent JwtAuthenticationProvider from setting authentication details when jwtAuthenticationConverter returned an authentication instance with non null details.
@sjohnr rebased on main and updated copyright. P.S. I hadn't considered it an expected "feature", which is why I initialy based the PR on 5.8 |
Any plan to merge this sometime? |
Hi @ch4mpy!
Apologies, I wasn't able to circle back to this in time for RC1. I'm going to schedule this for 6.1 as I'd prefer to hold off on any code enhancements in the RC phase of 6.0. I'll merge this after the GA release. |
This is merged via 7ad4ebd |
This could fix gh-11822