Skip to content

Expect AuthenticationException for invalid issuer instead of IllegalStateException #18388

Open
#19032
Open
Expect AuthenticationException for invalid issuer instead of IllegalStateException#18388
#19032
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@gulecroc

Description

@gulecroc
gulecroc
opened on Jan 7, 2026

Describe the bug
Using oauth2 resource server with JWT authentication, if the client send a token with an issuer different from the one expected, the exception thrown is IllegalStateException :

spring-security/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java

Line 99 in 5fe6d92

Assert.state(issuer.equals(metadataIssuer), () -> "The Issuer \"" + metadataIssuer

The exception is never wrapped to AuthenticationException.

To Reproduce
Configure oauth2 resource server and exception handling :

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    return http.csrf(AbstractHttpConfigurer::disable)
    .authorizeHttpRequests(matcher -> matcher.anyRequest().authenticated())
    .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
    .exceptionHandling(exceptionHandling -> exceptionHandling
      .authenticationEntryPoint(authenticationEntryPoint())
      .accessDeniedHandler(accessDeniedHandler()))
    .build();
}

@Bean
public AuthenticationEntryPoint authenticationEntryPoint() {
    return (HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) -> {
        LOGGER.error("Authentication failed", authException);
    };
}

@Bean
public AccessDeniedHandler accessDeniedHandler() {
    return (HttpServletRequest request, HttpServletResponse response,
            org.springframework.security.access.AccessDeniedException accessDeniedException) -> {
        LOGGER.error("Access denied", accessDeniedException);
    };
}

Configure JWT expected issuer uri :

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://issuer-uri

Send a request with an other issuer-uri : the exception is not logged

Expected behavior
The exception is an AuthenticationException so we can catch it through httpSecurity.exceptionHandling() or Authentication events.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions