Add BadOpaqueTokenException

Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.

Fixes gh-7902

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -1158,7 +1158,7 @@ public void getWhenIntrospectionFailsThenUnauthorized() throws Exception {
 				.with(bearerToken("token")))
 				.andExpect(status().isUnauthorized())
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE,
-						containsString("Provided token [token] isn't active")));
+						containsString("Provided token isn't active")));
 	}
 
 	@Test

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java

@@ -20,13 +20,15 @@
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
+import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.util.Assert;
@@ -88,8 +90,10 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		OAuth2AuthenticatedPrincipal principal;
 		try {
 			principal = this.introspector.introspect(bearer.getToken());
-		} catch (OAuth2IntrospectionException failed) {
+		} catch (BadOpaqueTokenException failed) {
 			throw new InvalidBearerTokenException(failed.getMessage());
+		} catch (OAuth2IntrospectionException failed) {
+			throw new AuthenticationServiceException(failed.getMessage());
 		}
 
 		AbstractAuthenticationToken result = convert(principal, bearer.getToken());

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManager.java

@@ -21,13 +21,15 @@
 
 import reactor.core.publisher.Mono;
 
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
+import org.springframework.security.oauth2.server.resource.introspection.BadOpaqueTokenException;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
 import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector;
 import org.springframework.util.Assert;
@@ -94,7 +96,11 @@ private Mono<BearerTokenAuthentication> authenticate(String token) {
 				.onErrorMap(OAuth2IntrospectionException.class, this::onError);
 	}
 
-	private OAuth2AuthenticationException onError(OAuth2IntrospectionException e) {
-		return new InvalidBearerTokenException(e.getMessage(), e);
+	private AuthenticationException onError(OAuth2IntrospectionException e) {
+		if (e instanceof BadOpaqueTokenException) {
+			return new InvalidBearerTokenException(e.getMessage(), e);
+		} else {
+			return new AuthenticationServiceException(e.getMessage(), e);
+		}
 	}
 }

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/BadOpaqueTokenException.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.introspection;
+
+/**
+ * An exception similar to {@link org.springframework.security.authentication.BadCredentialsException}
+ * that indicates an opaque token that is invalid in some way.
+ *
+ * @author Josh Cummings
+ * @since 5.3
+ */
+public class BadOpaqueTokenException extends OAuth2IntrospectionException {
+	public BadOpaqueTokenException(String message) {
+		super(message);
+	}
+
+	public BadOpaqueTokenException(String message, Throwable cause) {
+		super(message, cause);
+	}
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java

@@ -24,7 +24,6 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.ArrayList;
 
 import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
 import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
@@ -133,7 +132,7 @@ private MultiValueMap<String, String> requestBody(String token) {
 	public OAuth2AuthenticatedPrincipal introspect(String token) {
 		RequestEntity<?> requestEntity = this.requestEntityConverter.convert(token);
 		if (requestEntity == null) {
-			throw new OAuth2IntrospectionException("Provided token [" + token + "] isn't active");
+			throw new OAuth2IntrospectionException("requestEntityConverter returned a null entity");
 		}
 
 		ResponseEntity<String> responseEntity = makeRequest(requestEntity);
@@ -143,7 +142,7 @@ public OAuth2AuthenticatedPrincipal introspect(String token) {
 
 		// relying solely on the authorization server to validate this token (not checking 'exp', for example)
 		if (!introspectionSuccessResponse.isActive()) {
-			throw new OAuth2IntrospectionException("Provided token [" + token + "] isn't active");
+			throw new BadOpaqueTokenException("Provided token isn't active");
 		}
 
 		return convertClaimsSet(introspectionSuccessResponse);

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospector.java

@@ -24,16 +24,15 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.ArrayList;
 
 import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
 import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
 import com.nimbusds.oauth2.sdk.http.HTTPResponse;
 import com.nimbusds.oauth2.sdk.id.Audience;
-import org.springframework.core.io.buffer.DataBuffer;
-import org.springframework.core.io.buffer.DataBufferUtils;
 import reactor.core.publisher.Mono;
 
+import org.springframework.core.io.buffer.DataBuffer;
+import org.springframework.core.io.buffer.DataBufferUtils;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.GrantedAuthority;
@@ -154,7 +153,7 @@ private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospection
 	private void validate(String token, TokenIntrospectionSuccessResponse response) {
 		// relying solely on the authorization server to validate this token (not checking 'exp', for example)
 		if (!response.isActive()) {
-			throw new OAuth2IntrospectionException("Provided token [" + token + "] isn't active");
+			throw new BadOpaqueTokenException("Provided token isn't active");
 		}
 	}
 

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java

@@ -23,10 +23,10 @@
 
 import org.junit.Test;
 
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
@@ -109,9 +109,7 @@ public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken
 		OpaqueTokenAuthenticationProvider provider = new OpaqueTokenAuthenticationProvider(introspector);
 
 		assertThatCode(() -> provider.authenticate(new BearerTokenAuthenticationToken("token")))
-				.isInstanceOf(OAuth2AuthenticationException.class)
-				.extracting("error.description")
-				.isEqualTo("Invalid token");
+				.isInstanceOf(AuthenticationServiceException.class);
 	}
 
 	@Test

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManagerTests.java

@@ -25,10 +25,10 @@
 import org.junit.Test;
 import reactor.core.publisher.Mono;
 
+import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
-import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
@@ -115,9 +115,7 @@ public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken
 				new OpaqueTokenReactiveAuthenticationManager(introspector);
 
 		assertThatCode(() -> provider.authenticate(new BearerTokenAuthenticationToken("token")).block())
-				.isInstanceOf(OAuth2AuthenticationException.class)
-				.extracting("error.description")
-				.isEqualTo("Invalid token");
+				.isInstanceOf(AuthenticationServiceException.class);
 	}
 
 	@Test

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -168,7 +168,7 @@ public void introspectWhenInactiveTokenThenInvalidToken() {
 		assertThatCode(() -> introspectionClient.introspect("token"))
 				.isInstanceOf(OAuth2IntrospectionException.class)
 				.extracting("message")
-				.isEqualTo("Provided token [token] isn't active");
+				.isEqualTo("Provided token isn't active");
 	}
 
 	@Test

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospectorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -140,9 +140,9 @@ public void authenticateWhenInactiveTokenThenInvalidToken() {
 				new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient);
 
 		assertThatCode(() -> introspectionClient.introspect("token").block())
-				.isInstanceOf(OAuth2IntrospectionException.class)
+				.isInstanceOf(BadOpaqueTokenException.class)
 				.extracting("message")
-				.isEqualTo("Provided token [token] isn't active");
+				.isEqualTo("Provided token isn't active");
 	}
 
 	@Test