I'm using the Spring Boot OAuth Resource Server (JOSE) in order to validate the JWT from Auth0. The flow is running fine except when I check the audience claim from JWT, if it's fail the 401 response status is return, but the message body is empty.
I customised the exceptionHandling to send a message body and it works fine using authenticationEntryPoint and accessDeniedHandler, but these handlings were not trigged for OAuth2TokenValidator.
I just want to receive the 401 and my customized message body for 401 when the audience validation error occurs.
Here is the code that I used:
public static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
private Logger logger = LoggerFactory.getLogger(AudienceValidator.class);
private final String audience;
OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
public AudienceValidator(String audience) {
this.audience = audience;
}
public OAuth2TokenValidatorResult validate(Jwt jwt) {
logger.debug("validating audience: " + jwt.getAudience());
if (jwt.getAudience().contains(audience)) {
logger.debug("audience success");
return OAuth2TokenValidatorResult.success();
} else {
logger.debug("invalid audience");
return OAuth2TokenValidatorResult.failure(error);
}
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.cors().and()
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
)
);
logger.debug("authenticatedOnly:"+authenticatedOnly);
if (authenticatedOnly) http.authorizeRequests().anyRequest().authenticated();
else http.authorizeRequests().anyRequest().permitAll();
http
.exceptionHandling()
.authenticationEntryPoint((request, response, e) -> {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.setContentType("application/json");
response.getWriter().write("{\"status\":401,\"error\":\"You are not authenticated.\",\"message\":\"\"}");
})
.accessDeniedHandler((request, response, e) -> {
response.setStatus(HttpStatus.FORBIDDEN.value());
response.setContentType("application/json");
response.getWriter().write("{\"status\":403,\"error\":\"You are not authorized.\",\"message\":\"\"}");
})
;
}