Spring Security AuthenticationWebFilter throws an IllegalStateException when an AuthenticationManager returns empty

I don't understand why AuthenticationWebFilter throws an IllegalStateException when an empty authentication results after trying to authenticate, it should throw an AuthenticationException to be catched and processed by the AuthenticationFailureHandler.

An example of this malfunction would be using the JwtReactiveAuthenticationManager, this could return an empty value because of a fail trying to recover the JWKSet.

Comment From: jzheaux

Thanks for the report, @ceremo.

Can you confirm that JwtReactiveAuthenticationManager returns an empty value when failing to recover the JWK set? I believe this would be a bug. The authentication manager should throw an InvalidBearerTokenException when there is something wrong with the bearer token and an AuthenticationServiceException when there is something wrong with the service.

Comment From: ceremo

Sorry @jzheaux I think the empty value is caused by a custom ReactiveJWKSource trying to get the keys and failing with a timeout, so as you say an IllegalStateException should not be thrown executing an AuthenticationManager.

Related with this, I identify a possible bug if the webClient used to get the keys (ReactiveRemoteJWKSource) ends with an error, will be catched by the NimbusReactiveJwtDecoder mapping it with a new IllegalStateException("Could not obtain the keys", ex), maybe this is wrong as you said, this should be an AuthenticationServiceException and processed by the AuthenticationFailureHandler, what do you think?

Comment From: jzheaux

It should be okay since the exceptions are translated in JwtRectiveAuthenticationManager. If NimbusReactiveJwtDecoder signals a JwtException, then it's transformed into an InvalidBearerTokenException. Otherwise, it's transformed into an AuthenticationServiceException.

To make further progress, I think a sample application would help me see the issue better. Are you able to provide one?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.