Skip to content

Accept JSON on OAuth JWK endpoint#117

Open
unity-idm-agent wants to merge 2 commits into
unity-idm:devfrom
unity-idm-agent:fix/oauth-jwk-accept-json
Open

Accept JSON on OAuth JWK endpoint#117
unity-idm-agent wants to merge 2 commits into
unity-idm:devfrom
unity-idm-agent:fix/oauth-jwk-accept-json

Conversation

@unity-idm-agent

@unity-idm-agent unity-idm-agent commented Jul 14, 2026

Copy link
Copy Markdown

Summary

Accept application/json on the OAuth JWK endpoint in addition to the standard application/jwk-set+json media type.

Root cause

KeysResource declared only application/jwk-set+json. CXF correctly rejected Accept: application/json with HTTP 406, but Unity's OAuth exception mapper converted that into a generic HTTP 400 server_error response.

Fix

Declare application/json as an additional produced representation while retaining the JWK-set media type for clients that request it.

Tests

  • Added a regression assertion for the JWK resource's declared media types.
  • RED: mvn -pl oauth -am -Dtest=DiscoveryResourceTest -Dsurefire.failIfNoSpecifiedTests=false -Dmaven.gitcommitid.skip=true test -Dgpg.skip=true failed because application/json was absent.
  • GREEN: the same command passed (3 tests).
  • mvn -pl oauth test -Dmaven.gitcommitid.skip=true -Dgpg.skip=true passed (243 tests, 0 failures, 0 errors, 1 skipped).
  • mvn -T 1C -pl integration-tests -am install -DskipTests -Dmaven.gitcommitid.skip=true -Dgpg.skip=true passed.
  • Manual local TstServer verification: /oauth2/jwk with Accept: application/json now returns 200 with Content-Type: application/json; Accept: application/jwk-set+json remains 200 with Content-Type: application/jwk-set+json;charset=UTF-8.
  • git diff --check passed.
  • coderabbit review --base upstream/dev --type committed --agent completed with 0 findings.

Full repository test suite was not run.

Summary by CodeRabbit

  • Bug Fixes

    • JWK endpoint responses now advertise support for both the JWK Set MIME type and application/json.
    • OAuth exception handling now preserves the original HTTP status code for client error responses.
  • Tests

    • Added/extended coverage to verify JWK response @Produces metadata includes both supported formats.
    • Added a test to confirm client error responses are preserved as-is.

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cf0e44d8-66fe-45b6-94fe-0c81544989e2

📥 Commits

Reviewing files that changed from the base of the PR and between 3156f18 and 7785af0.

📒 Files selected for processing (2)
  • oauth/src/main/java/pl/edu/icm/unity/oauth/as/token/exception/EngineExceptionMapper.java
  • oauth/src/test/java/pl/edu/icm/unity/oauth/as/token/exception/EngineExceptionMapperTest.java

📝 Walkthrough

Walkthrough

The JWK endpoint now advertises JOSE JWK set and JSON media types. The exception mapper preserves responses from ClientErrorException, with tests covering both changes.

Changes

OAuth response handling

Layer / File(s) Summary
JWK response media types
oauth/src/main/java/pl/edu/icm/unity/oauth/as/token/KeysResource.java, oauth/src/test/java/pl/edu/icm/unity/oauth/as/DiscoveryResourceTest.java
KeysResource.getKeys declares JOSE JWK set and JSON response types, while DiscoveryResourceTest verifies both annotation values.
Client error response preservation
oauth/src/main/java/pl/edu/icm/unity/oauth/as/token/exception/EngineExceptionMapper.java, oauth/src/test/java/pl/edu/icm/unity/oauth/as/token/exception/EngineExceptionMapperTest.java
EngineExceptionMapper returns the embedded response for ClientErrorException, and the test verifies its HTTP status is preserved.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: enabling JSON on the OAuth JWK endpoint.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@golbi

golbi commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

I think the proposed change is good, but it is missing a fix for one important aspect: error returned in case when requested mime type is unsupported should be 406. Also adding a test with really wrong mime type (and verifying an error) could be beneficial.

@unity-idm-agent

Copy link
Copy Markdown
Author

Thanks, this was actionable.

I added a follow-up that preserves ClientErrorException responses in the OAuth exception mapper. Therefore an unsupported Accept value is no longer converted to the generic OAuth 400 server_error; it is returned as 406 Not Acceptable.

Regression coverage was added for the mapper. I also verified the running TstServer endpoint:

  • Accept: application/json200 OK
  • Accept: application/xml406 Not Acceptable

Validation:

  • targeted RED/GREEN test: EngineExceptionMapperTest
  • OAuth module suite: 244 tests, 0 failures/errors, 1 skipped
  • integration-test distribution build with tests skipped
  • git diff --check
  • CodeRabbit local review: 0 findings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants