diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java index 5fb07130e1..8aa11dba43 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java @@ -183,6 +183,10 @@ private Jwt createJwt(String token, JWT parsedJwt) { this.logger.trace("Failed to process JWT", ex); throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex); } + catch (IllegalStateException ex) { + this.logger.trace("Failed to validate issuer", ex); + throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex); + } catch (Exception ex) { this.logger.trace("Failed to process JWT", ex); if (ex.getCause() instanceof ParseException) { diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java index c1866720a4..18e168517a 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java @@ -49,6 +49,7 @@ import com.nimbusds.jose.proc.JWSKeySelector; import com.nimbusds.jose.proc.JWSVerificationKeySelector; import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; import com.nimbusds.jwt.proc.BadJWTException; @@ -82,6 +83,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalStateException; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.isNull; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.times; @@ -879,6 +881,20 @@ public void decodeWhenSecretKeyValidateTypeFalseThenSkipsNimbusTypeValidation() jwtDecoder.decode(jwt.serialize()); } + // gh-18388 + @Test + public void decodeWhenIllegalStateExceptionThenThrowsBadJwtException() throws Exception { + JWTProcessor jwtProcessor = mock(JWTProcessor.class); + given(jwtProcessor.process(any(JWT.class), isNull())).willThrow(new IllegalStateException()); + NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(jwtProcessor); + // @formatter:off + assertThatExceptionOfType(BadJwtException.class) + .isThrownBy(() -> jwtDecoder.decode(SIGNED_JWT)) + .withCauseInstanceOf(IllegalStateException.class) + .withMessageContaining("An error occurred while attempting to decode the Jwt"); + // @formatter:on + } + private RSAPublicKey key() throws InvalidKeySpecException { byte[] decoded = Base64.getDecoder().decode(VERIFY_KEY.getBytes()); EncodedKeySpec spec = new X509EncodedKeySpec(decoded);