pac4j oidc swallows important exceptions.
119 views
Skip to first unread message
James Nord
Oct 25, 2024, 5:25:09 AM10/25/24
to Pac4j development mailing list
Hi,
the relevant code https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/TokenValidator.java#L137-L150
I would suggest that the code makes use of supressed exceptions so that the issues from all of the validators are recorded so that fine logging does not need to be enabled in order to obtain the underlying root cause.
Would such a change be acceptable, if so I can file a PR.
/James
In pac4j 5.7.7 (and looking at the code 6.x also), when validating an OIDC token pac4j swallows all but one of the exceptions from all of the registered token validators.
as you can have many token validators configured and some may not have the required information, the code itterates through them all to find one validator that matches and returns OK.
However in the case that none of them can validate, an exception from the first validator only is thrown, and if this is missing information as it is not the validor for this token then you are presented with a very generic exception. The interesting exception (which is likely a signature mismatch or expiry etc) is just swallowed.
e.g.
com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
as you can have many token validators configured and some may not have the required information, the code itterates through them all to find one validator that matches and returns OK.
However in the case that none of them can validate, an exception from the first validator only is thrown, and if this is missing information as it is not the validor for this token then you are presented with a very generic exception. The interesting exception (which is likely a signature mismatch or expiry etc) is just swallowed.
e.g.
com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
at PluginClassLoader for oic-auth//com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:357)
at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:108)
Caused: org.pac4j.core.exception.TechnicalException
at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:152)
at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1279)
at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:732)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:108)
Caused: org.pac4j.core.exception.TechnicalException
at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:152)
at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1279)
at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:732)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
the relevant code https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/TokenValidator.java#L137-L150
I would suggest that the code makes use of supressed exceptions so that the issues from all of the validators are recorded so that fine logging does not need to be enabled in order to obtain the underlying root cause.
Would such a change be acceptable, if so I can file a PR.
/James
Jérôme LELEU
Oct 28, 2024, 5:47:07 AM10/28/24
to James Nord, Pac4j development mailing list
Hi,
It makes sense. Please submit PRs to the master and 5.7.x branches.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/e4568f95-748e-45a7-8ab4-d55fa3128b56n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages