René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"IllegalArgumentException from 401 responses","articleBody":"Hi!\r\n\r\nI recently encountered a problem which seems to be somehow related to #492\r\n\r\nIt seems that the OAuth request behaves differently depending on whether the REST client is running locally or in a docker container in a cloud environment.\r\nFor the first case, when we use a wrong clientId for authentication, a 401 response with a body is received, which is logged in debug mode (in method `OAuth20Service.sendAccessTokenRequestSync()`) like follows:\r\n```\r\ncreated access token client credentials grant request with body params [grant_type=client_credentials], query string params []\r\nsend request for access token synchronously to https://...\r\nresponse status code: 401\r\nresponse body: {\"error\":\"unauthorized\",\"error_description\":\"Full authentication is required to access this resource\"}\r\n```\r\n\r\nI have absolutely no idea where the \"response body\" is taken from because it is 100% sure that the service doesn't send a body for a 401 response - it is simply empty (tested with curl, postman etc.)\r\n\r\nNow, when our client is running in the cloud (and contacting the exact same service), the response is null:\r\n```\r\ncreated access token client credentials grant request with body params [grant_type=client_credentials], query string params []\r\nsend request for access token synchronously to https://...\r\nresponse status code: 401\r\nresponse body: null\r\n```\r\n\r\nIn this case, an exception is thrown in `OAuth2AccessTokenJsonExtractor.extract()`:\r\n```\r\n java.lang.IllegalArgumentException: Response body is incorrect. Can't extract a token from an empty string\r\n\tat com.github.scribejava.core.utils.Preconditions.check(Preconditions.java:49)\r\n\tat com.github.scribejava.core.utils.Preconditions.checkEmptyString(Preconditions.java:31)\r\n\tat com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:34)\r\n\tat com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:17)\r\n\tat com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:157)\r\n\tat com.github.scribejava.core.oauth.OAuth20Service.getAccessTokenClientCredentialsGrant(OAuth20Service.java:418)\r\n```\r\n\r\nBecause of that, I am wondering: Why should it be a problem if there is no response body when we receive a 401 response? Actually, according to the HTTP code it is clear that there won't be an OAuth token and there will be nothing that could be extracted from the response. Besides this, the `generateError()` method which would be called afterwards does also allow the variables errorUri, errorCode and errorDescription to be null when throwing the `OAuth2AccessTokenErrorResponse` exception.\r\n\r\nThus, I think that the check for an empty string might be too early und should be placed below the if-statement, isn't it?\r\nThanks!","author":{"url":"https://github.com/Steinbam","@type":"Person","name":"Steinbam"},"datePublished":"2024-12-13T15:03:59.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/1078/scribejava/issues/1078"}