-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oauth2 jwt not work if no Authorization attribute in http header or Authorization not start with 'Bearer ' #15844
Comments
hey i read your issue and according to your problem there is must be a wrong logic error , you have to check Security and authorization of your endpoints. Maybe you did not set the secure endpoint for api that's why is you provide no Auth it is still running , Maybe you make that api publicly accessible. |
Hi @rohitsirohi85 ,
|
I find the root cause is this line:
if I remove this line, will get 401 if no Authorization or Bearer . But this line will parse and get some info from jwt token and do some bussiness logic in the Filter. So if I remove it, is there any way to do the same logic but not impact the Authorization vaidation?
|
Hello,
I use Oauth2 jwt connected to the keycloak server to verify the user's jwt token, but I find if there's no Authorization attribute in the http header or the no the keyword Bearer in token, the jwt validation is not working(even the token is expired), did I misconfig anything?
Below are the 3 methods to call my api , I use the expired token to test:
method 1:
curl --location 'http://localhost:8080/api/xxxx' --header 'Authorization: Bearer expiredToken'
returns 401 (works as expected)
method 2, no Authorization attribute in header:
curl --location 'http://localhost:8080/api/xxxx'
expected to return 401 but returns 200
method 3, the token has no Bearer :
curl --location 'http://localhost:8080/api/xxxx' --header 'Authorization: expiredToken'
expected to return 401 but returns 200
To Reproduce
oauth2 jwt config as below(issuer-uri is the keycloak server)
oauth2 version
org.springframework.security:spring-security-oauth2-resource-server:jar:5.1.2.RELEASE
and
org.springframework.security:spring-security-oauth2-resource-server:jar:6.2.4
The text was updated successfully, but these errors were encountered: