Reduce severity of invalid registrationId to warn

This prevents filling the log file with error messages when routine scans are being performed. Closes gh-11344
3 years ago · bbac85e20b
3 changed files with 42 additions and 2 deletions
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
@ -149,7 +149,7 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
				@@ -149,7 +149,7 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
 		}
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
 		if (clientRegistration == null) {
-			throw new IllegalArgumentException("Invalid Client Registration with Id: " + registrationId);
+			throw new InvalidClientRegistrationIdException("Invalid Client Registration with Id: " + registrationId);
 		}
 		OAuth2AuthorizationRequest.Builder builder = getBuilder(clientRegistration);

--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java
@ -0,0 +1,32 @@
				@@ -0,0 +1,32 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.web;
+
+/**
+ * @author Steve Riesenberg
+ * @since 5.8
+ */
+class InvalidClientRegistrationIdException extends IllegalArgumentException {
+
+	/**
+	 * @param message the exception message
+	 */
+	InvalidClientRegistrationIdException(String message) {
+		super(message);
+	}
+
+}
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java
@ -230,7 +230,15 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
				@@ -230,7 +230,15 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt

 	private void unsuccessfulRedirectForAuthorization(HttpServletRequest request, HttpServletResponse response,
 			Exception ex) throws IOException {
-		this.logger.error(LogMessage.format("Authorization Request failed: %s", ex), ex);
+		LogMessage message = LogMessage.format("Authorization Request failed: %s", ex);
+		if (InvalidClientRegistrationIdException.class.isAssignableFrom(ex.getClass())) {
+			// Log an invalid registrationId at WARN level to allow these errors to be
+			// tuned separately from other errors
+			this.logger.warn(message, ex);
+		}
+		else {
+			this.logger.error(message, ex);
+		}
 		response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(),
 				HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
 	}