OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject #9222
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
ghost
| @@ -54,7 +54,7 @@ public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor t | |||
| } | |||
| Map<?, ?> sourceMap = (Map<?, ?>) source; | |||
| if (!sourceMap.isEmpty() && sourceMap.keySet().iterator().next() instanceof String) { | |||
There was a problem hiding this comment.
In my opinion this check is no longer required, as it will be covered by Map<String, Object> result = new HashMap<>(); sourceMap.forEach((k, v) -> result.put(k.toString(), v)); and a new Map will be created in both cases.
...ain/java/org/springframework/security/oauth2/core/converter/ObjectToListStringConverter.java
Outdated
Show resolved
Hide resolved
…ype JSONArray or JSONObject ObjectToListStringConverter and ObjectToMapStringObjectConverter were checking if the source object is of type List or Map and if the first element or key is a String. If we have a JSONArray containing Strings the above check will pass, meaning that a JSONArray will be returned which is not serializable (same applies to JSONObject) With this change, even if the check is passing a new List or Map will be returned. Closes spring-projectsgh-9210
jgrandja
added
in: oauth2
|
Thanks for the PR @ovidiupopa91 ! This is now in master and backported to 5.2.x. |
|
@ovidiupopa91 If you're available for another PR in Spring Security or Spring Authorization Server let me know and I'll find one for you. |
|
Hi @jgrandja . Sure, I would be happy to contribute to a new PR. Either of them would be fine. |
|
Thanks @ovidiupopa91 ! I will be in touch next week with a couple of options to choose from . Enjoy your weekend! |
|
@ovidiupopa91 Here are a couple of options to choose from: OAuth 2.0 Mutual-TLS Client Authentication OpenID Connect Dynamic Client Registration 1.0 Do any of these features interest you? Keep in mind that these are major features and will require some effort and time. If you prefer a smaller feature let me know and I'll find something. FYI, I'll be on PTO starting Dec 11 and returning Jan 4. |
|
Hi @jgrandja. I can give it a try with OpenID Connect Dynamic Client Registration 1.0 When it comes to my free time, I'm usually allocating 2-3hours/day. I don't have a problem regarding the effort, but it also depends when this feature is planned to be rolled out. If this must happen in the next 1-2 weeks I'm not sure if I can finish till then. Let me know if this is ok with you too. Maybe we can have a chat before you leave, discussing this feature before actually starting to implement it. (we can do it on gitter) I will also be on PTO starting Dec 21 and returning on Jan 6. |
ObjectToListStringConverter and ObjectToMapStringObjectConverter were checking if the source object is of type List or Map and if the first element or key is a String. If we have a JSONArray containing Strings the above check will pass, meaning that a JSONArray will be returned which is not serializable (same applies to JSONObject)
With this change, even if the check is passing a new List or Map will be returned.
Closes gh-9210