Description
Keeping OAuth2ErrorHttpMessageConverter so strict as just attempting to read Map<String,String> out from an error response and throwing parsing error is a bit of a nuance. According to comment #6463 (comment) user could switch error handling but it'd be better this default impl to i.e. throw away unknown fields.
For example with azure you may get something like:
{
"error": "invalid_grant",
"error_description": "AADSTS65001: The user or administrator has not consented to use the application with ID 'e3efd8f6-4e31-4bd0-b187-c928d9273133' named 'dataflow-shell-public'. Send an interactive authorization request for this user and resource.\r\nTrace ID: a537f6db-5813-4160-a3d5-04a2df304d00\r\nCorrelation ID: 00d69f51-c21b-4490-9ab8-29123ba4b896\r\nTimestamp: 2020-03-20 09:44:11Z",
"error_codes": [
65001
],
"timestamp": "2020-03-20 09:44:11Z",
"trace_id": "a537f6db-5813-4160-a3d5-04a2df304d00",
"correlation_id": "00d69f51-c21b-4490-9ab8-29123ba4b896",
"suberror": "consent_required"
}
Which then leads to an error:
2020-03-20T09:44:42+0000 DEBUG Spring Shell o.s.w.HttpLogging:147 - Response 400 BAD_REQUEST
org.springframework.http.converter.HttpMessageNotReadableException: An error occurred reading the OAuth 2.0 Error: Invalid JSON input: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token; nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token
at [Source: (sun.net.www.protocol.http.HttpURLConnection$HttpInputStream); line: 1, column: 287] (through reference chain: java.util.LinkedHashMap["error_codes"]); nested exception is org.springframework.http.converter.HttpMessageNotReadableException: Invalid JSON input: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token; nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.lang.String` out of START_ARRAY token
at [Source: (sun.net.www.protocol.http.HttpURLConnection$HttpInputStream); line: 1, column: 287] (through reference chain: java.util.LinkedHashMap["error_codes"])
at org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter.readInternal(OAuth2ErrorHttpMessageConverter.java:78)
at org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter.readInternal(OAuth2ErrorHttpMessageConverter.java:46)
at org.springframework.http.converter.AbstractHttpMessageConverter.read(AbstractHttpMessageConverter.java:199)
at org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler.handleError(OAuth2ErrorResponseErrorHandler.java:59)
I really care about error and error_description fields as those would then give me a hint why things failed. Currently I need to figure out what is actual request spring-security is doing and then trying to do that manually with curl to get that error description.
While https://tools.ietf.org/html/rfc6749#section-5.2 is a bit vague what could be in a response, it's just reality that different identity providers do things differently.