Escaped quotes appear when using testutils/signclaims in token

[johnchesser]

I have noticed this when making a call to testutils/signclaims . Not sure where they are coming from, but when it ends up in spring the first scope is "abc and the last scope is ghi" .

I think the json I am passing is correct. Do you know if there is a way for me to not have the string quotes end up in the token yet still be valid json?

I should say this is on master.

[jksolbakken]

Hi! I'm unable to reproduce this behaviour, can you share some details on what you are doing when the problem occurs?

[johnchesser]

Yes

./gradle run

POST to /default/testutils/signclaims

JSON body (you can use Text too, it doesn't check) { "claims": { "scope": "abc def ghi", "anything": "hereweare", "anumberthatdoesnneedquotes": 33434 } }

take response and decode it on jwt.io

Here is one I just made eyJraWQiOiJkZWZhdWx0IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJuYmYiOjE2NjQ4MDc5MTEsInNjb3BlIjoiXCJhYmMgZGVmIGdoaVwiIiwiYW51bWJlcnRoYXRkb2Vzbm5lZWRxdW90ZXMiOiIzMzQzNCIsImV4cCI6MTY2NDgxMTUxMSwiaWF0IjoxNjY0ODA3OTExLCJhbnl0aGluZyI6IlwiaGVyZXdlYXJlXCIifQ.WHgLqZwZnKY-61jwvEivWMjtN6rCeyXVi-pKixhtzeLt5zIxghhG1Z_vx7sFtXbAEO40DAOV9ekHcVwDWhW0Jve7AuZMtxMMp9Vcueis-UutCCgIlmH71SboYQ7YjvD6i9uaL1vxGhFfYKatNRWyrzk0oxjU66aYpM8_HBVJGu0W-YIT9gPDH1Pb0TnACceZcTjavij1qSVgQYP4jWr7Y0vXegb0pdruUgujDoWfa28DsS7-29oBeifgj7ybUQL0Oh6Xv7OEtZs7bgOXZTT6CHvSLsz0MJuw7u4iqie-XKkWq9CyITlpeM35qAGsllNHpEGj6YpnpoQ6Rr8bjWTLHw

It parsed in the "'s in the json as part of the data and escaped them and returned them in the token.

In this case I am using thunderclient (via vscode), but I originally wrote with Webclient via spring before I noticed the problem and went to thunderclient for easier duplication.

If I remove the quotes it rightly knows it is not valid json so I'm pretty sure it's getting to jackson correctly.

Unrecognized token 'hereweare': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: (String)"{ "claims": { "scope": "abc def ghi", "anything": hereweare, "anumberthatdoesnneedquotes": 33434 } }"; line: 4, column: 26]

[johnchesser]

I just went back and used Webclient just in case

String astring = client.post() .uri("/default/testutils/signclaims") .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE) .body(BodyInserters.fromValue(om.writeValueAsString(jwtsr))) .retrieve() .bodyToMono(String.class) .block();

Here is the result of om.writeValueAsString(jwtsr)

{"expiry":"PT1H","claims":{"scope":"leftquotefix rightquotefix hij"}}

It gets the same result, here is the token

eyJraWQiOiJkZWZhdWx0IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJuYmYiOjE2NjQ4MDk5ODgsImV4cCI6MTY2NDgxMzU4OCwiaWF0IjoxNjY0ODA5OTg4LCJzY29wZSI6IlwibGVmdHF1b3RlZml4IHJpZ2h0cXVvdGVmaXggaGlqXCIifQ.MEZ1SxIiBVVI1Ezs8CC4SVtevwpXUM0lHA03HKcBeVRbTVFjWr3Jf6nFshyHAR8RVx5MHkwUsC_ATUcz3N7n9yVmyqvPXY8c1ixlQZ-yvj-_hihARiD95abpGot5p1RzL89L4jGb9YageqDnl9fxtdyHxD86LSqdPOhwfhEQHumU3bSjXW6thO7sdZTAp2-eoWAOA3YIYz5Bj_nuSxwuCA1VO7TVvzR62f-V29WRKB5edD0I4K8AcdTLL7G50rjtwaaTUxvFiEQaRQ4rsLyLVSAWuOkyF-uS57XyZcmQdYsLMj2QdO4MtnGBdrIRdJIpPZkys_TRhYeH6OrkpFM0JQ

It does require the json value header. (otherwise it ignores the data)

[jksolbakken]

Is this endpoint something you have made? Can't find any traces of it.

[johnchesser]

Ah, I think I have figured it out based on your last comment. I have a fork of this project locally (I thought I had this version, which is why I'm here), and that fork happens to have exactly what I need. I just need a way to get a set of scopes and token for integration testing, without any pre-configuration.

https://github.com/erik-a-e/mock-oauth2-server

https://github.com/navikt/mock-oauth2-server/compare/master...erik-a-e:mock-oauth2-server:master

Is there a way to do that with the existing token call? or should I re-fork and get the commits and just use that?

[tommytroen]

@johnchesser It depends on how you are using the server. Are you using it from a JUnit test? Are you using it as a Docker image? For the former you can configure the server to return any claims you want inside your test, for the latter you can supply a json config for the claims you want back. Also do you need to get the token via a HTTP call or do you want it programmatically?

[johnchesser]

We are using it as an image, and for testing only. I think I fully understand the configuration, but what I have now doesn't require any, and we have new scopes added for each new product we build so we don't want to have to sync this up to our auth (scope) automation process.

This is basically our simple testing contract :

public static JWTResponse getTokenWithScopes(String[] scopes)

I think I just want it programmatically, the reason for the http call is I (atm) don't have to manage anything, or configure anything, or manage any type of keystore. I can start up the mock server, make a call to any issuer. We will usually have just one, and we will use default, but we do have multi tenant applications that may use more than one in testing.

Hope that helps and explains, and sorry again for the fork confusion!

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 14 days since being marked as stale.