laserninja opened a new issue, #10672:
URL: https://github.com/apache/gravitino/issues/10672
### What would you like to be improved?
When a JWT token has expired, the server currently returns a generic error
message ("JWT parse error" or "JWKS JWT validation error") rather than a
specific authentication timeout message. This makes it impossible for clients
to distinguish an expired token from a malformed token or invalid signature.
The issue affects two validators:
StaticSignKeyValidator — ExpiredJwtException is caught in the same
multi-catch as MalformedJwtException, UnsupportedJwtException,
SignatureException, etc., and returns the generic "JWT parse error".
JwksTokenValidator — All exceptions are caught generically and return "JWKS
JWT validation error", regardless of whether the token was expired or had a
different fault.
Clients receive a 401 Unauthorized with no way to determine whether they
should refresh/re-authenticate vs. debug a misconfigured token.
### How should we improve?
In StaticSignKeyValidator, split ExpiredJwtException into its own catch
block and return "Authentication token is expired".
In JwksTokenValidator, add a catch (BadJWTException e) block that inspects
the message for expiry and returns "Authentication token is expired".
This gives clients an actionable error and improves observability.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
