I implemented a custom revocation authentication provider and added it to the OAuth2AuthorizationServerConfigurer, and it works fine. then we decided to add the revoke token endpoint to the permitAll() endpoints and remove the security check because we want to use it without sending clientId and clientSecret, then when I am throwing an exception from the custom revocation authentication provider, the default one get excuted and then the authentication check in the default one throws OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT).
Even if I throw OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN) from my custom revocation authentication provider.
This is my code:
authorizationServerConfigurer.tokenRevocationEndpoint(tokenRevocationEndpoint -> tokenRevocationEndpoint.authenticationProvider(new RevocationAuthenticationProvider(revokedTokenRepository)));
public class RevocationAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
OAuth2TokenRevocationAuthenticationToken tokenRevocationAuthentication =
(OAuth2TokenRevocationAuthenticationToken) authentication;
JWTClaimsSet claims;
try {
claims = getTokenClaims(tokenRevocationAuthentication);
if (isCustomValidationCheck(claims)) {
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
}
// Custom implementation
}
}
if the isCustomValidationCheck method return true I am getting a response message "invalid_client" not invalid_token because the default logic is always checking for the clientPrincipal in the OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient()