OAuth2 Resource Server is exposing server information. #13730
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: ideal-for-contribution
An issue that we actively are looking for someone to help us with
type: enhancement
A general enhancement
Milestone
Given I created a custom JWT decoder as described in the Spring OAuth2 Resource Server Documentation with
NimbusJwtDecoder
.Example:
And I configure my Spring App as Oauth2 Resource Server, like:
When I send a request to
/api/v1/**
with a JWT token that has a malformed JWT headerExpected Behavior
Then I expect that a 401 is responded with a
www-authenticate
header which doesn't expose any app internal information.Something like:
Current Behavior
Then currently a 401 is responded with a
www-authenticate
header which does expose that the app is using aNimbusdecoder
.Context
How has this issue affected you?
I am not sure if this is a security breach, but at least I expect, that my client is not bothered with server-internal information.
What are you trying to accomplish?
Provide my clients with a clean API without exposing any server-internal details.
The text was updated successfully, but these errors were encountered: