Oauth2 client: Allow deescalating logged ERROR for invalid client registration ID #11344
Comments
PunchyRascal
added
status: waiting-for-triage
|
@PunchyRascal There is only one log statement in
|
jgrandja
added
status: waiting-for-feedback
|
Since the pentest is a regular occurrence, I think that would not be sustainable - to keep turning this off and on again and releasing to prod. |
spring-projects-issues
added
status: feedback-provided
|
@PunchyRascal A correctly configured application would not send an invalid client registration id. I understand your pentest is a different testing scenario but it doesn't make sense to "convenience" a pentest scenario as this would also "convenience" a malicious request that was attempting to guess a valid registration id. I would prefer to be disruptive to a malicious request by keeping this existing behaviour and throwing an exception. Makes sense? |
jgrandja
added
status: waiting-for-feedback
|
I could argue that protection against brute force attacks is not in the scope of this module, if that is what you're saying, but hey - who am I? If you do not think this is doable, even via settings, we'll have to manage otherwise 🙂 |
spring-projects-issues
added
status: feedback-provided
No that's not what I'm saying. As mentioned in previous comment
An invalid client registration id in the request is an error in the calling application, hence, the signal of the error condition to the caller so they can correct. |
|
This request is about log messages being generated. I am working under the assumption, that the caller does not have access to the Oauth app's logs. |
|
Apologies @PunchyRascal, it looks like I misinterpreted the request. If it's as simple as changing the log message from |
|
Yes, that would be great. |
|
Awesome, thanks @PunchyRascal! I do want to point out for future users encountering this issue that this change (logging invalid client registration ID at WARN level) will still require many applications to tune their logs to get rid of this warning. However, it will allow this message to be turned off permanently if desired while still retaining other errors in the logs. |
This prevents filling the log file with error messages when routine scans are being performed. Closes spring-projectsgh-11344
Current Behavior
Currently, when attempting to work withz invalid client ID, an ERROR is logged :
Authorization Request failed: java.lang.IllegalArgumentException: Invalid Client Registration with Id: xxxl(
org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver#resolve(javax.servlet.http.HttpServletRequest, java.lang.String, java.lang.String))Desired Behavior
Avoid ERRORs in logs for this case (either setup or altogether - switch to warning maybe?)
Context
When a security/penetration scan is run on the app, many errors like this are logged, but do not represent any actual problem with the app. All the errors are just a result of the scan. Therefore it would be nice if this error could be silenced - maybe changed to warning.
Thank you.
The text was updated successfully, but these errors were encountered: