Skip to content

DPoP filter is ignored when another AuthenticationFilter is present #17173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gbaso opened this issue May 27, 2025 · 4 comments
Closed

DPoP filter is ignored when another AuthenticationFilter is present #17173

gbaso opened this issue May 27, 2025 · 4 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug

Comments

@gbaso
Copy link
Contributor

gbaso commented May 27, 2025

DPoP filter is implemented as a an AuthenticationConverter applied to an AuthenticationFilter. AuthenticationFilter extends OncePerRequestFilter, which means that only the first filter of that type actually do its filtering. An attribute then is added to the request that prevents additional filters of the same type to do anything other than proceeding to the next filter.

In my experience, AuthenticationFilter plus AuthenticationConverter is the easiest way to create a custom filter, therefore I believe it to be very commonly used. Depending on the configuration, either DPoP or the custom filter is completely disabled, based on the filter ordering.

Sample application with oauth2 resource server + custom API key: https://github.com/gbaso/oauth2-api-server
@gbaso gbaso added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels May 27, 2025
@jgrandja
Copy link
Contributor

@gbaso Thanks for reporting this. Indeed this is an issue if there is more than one AuthenticationFilter in the chain.

Overriding OncePerRequestFilter.getAlreadyFilteredAttributeName() would solve this issue.

Would you be interested in submitting a fix?

@jgrandja jgrandja self-assigned this May 28, 2025
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 28, 2025
@jgrandja jgrandja added this to the 6.5.1 milestone May 28, 2025
@therepanic
Copy link
Contributor

If no one would mind, I could prepare a fix.

@gbaso
Copy link
Contributor Author

gbaso commented May 28, 2025

@therepanic you can go ahead

therepanic added a commit to therepanic/spring-security that referenced this issue May 29, 2025
@therepanic
override OncePerRequestFilter#getAlreadyFilteredAttributeName in `A…
120fb26 
…uthenticationFilter` (spring-projects#17173)

Signed-off-by: Andrey Litvitski <[email protected]>
@therepanic therepanic mentioned this issue May 29, 2025
Closed
therepanic added a commit to therepanic/spring-security that referenced this issue May 30, 2025
@therepanic
override OncePerRequestFilter#getAlreadyFilteredAttributeName in `A…
3689785 
…uthenticationFilter` (spring-projects#17173)

Signed-off-by: Andrey Litvitski <[email protected]>
therepanic added a commit to therepanic/spring-security that referenced this issue May 30, 2025
@therepanic
override OncePerRequestFilter#getAlreadyFilteredAttributeName in `A…
f6d7736 
…uthenticationFilter` (spring-projects#17173)

Signed-off-by: Andrey Litvitski <[email protected]>
therepanic added a commit to therepanic/spring-security that referenced this issue Jun 3, 2025
@therepanic
introduce DPoPAuthenticationFilter to avoid conflict with other `Au…
5da3868 
…thenticationFilter` (spring-projects#17173)

Signed-off-by: Andrey Litvitski <[email protected]>
therepanic added a commit to therepanic/spring-security that referenced this issue Jun 5, 2025
@therepanic
override OncePerRequestFilter#getAlreadyFilteredAttributeName in `A…
62c5015 
…uthenticationFilter` (spring-projects#17173)

Signed-off-by: Andrey Litvitski <[email protected]>
@jgrandja jgrandja mentioned this issue Jun 6, 2025
Closed
@jgrandja
Copy link
Contributor

jgrandja commented Jun 6, 2025

@gbaso This is now resolved via gh-17216. I'll mark this as a duplicate.

@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Jun 6, 2025
@jgrandja jgrandja removed this from the 6.5.1 milestone Jun 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
3 participants
@jgrandja @gbaso @therepanic