Fixes #328

oharsta · oharsta · commit b58d5bdb791c · 2026-02-19T15:03:22.000+01:00
diff --git a/oidc/src/main/java/oidc/endpoints/UserInfoEndpoint.java b/oidc/src/main/java/oidc/endpoints/UserInfoEndpoint.java
@@ -56,8 +56,14 @@ private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request)
         String accessTokenValue = userInfoRequest.getAccessToken().getValue();
 
         MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
+        Optional<SignedJWT> optionalSignedJWT;
+        try  {
+            optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
+        } catch (IllegalArgumentException e) {
+            //Thrown when the signing key has been deleted, which only happens when all access_tokens with that key are gone
+            return errorResponse("Access Token not found");
+        }
 
-        Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
         if (!optionalSignedJWT.isPresent()) {
             return errorResponse("Access Token not found");
         }
diff --git a/oidc/src/test/java/oidc/AbstractIntegrationTest.java b/oidc/src/test/java/oidc/AbstractIntegrationTest.java
@@ -28,6 +28,7 @@
 import oidc.endpoints.MapTypeReference;
 import oidc.model.*;
 import oidc.repository.SequenceRepository;
+import oidc.repository.SigningKeyRepository;
 import oidc.secure.TokenGenerator;
 import org.junit.Before;
 import org.junit.runner.RunWith;
@@ -99,6 +100,9 @@ public abstract class AbstractIntegrationTest implements TestUtils, MapTypeRefer
     @Autowired
     protected SequenceRepository sequenceRepository;
 
+    @Autowired
+    protected SigningKeyRepository signingKeyRepository;
+
     private List<OpenIDClient> openIDClients;
 
     @Before
diff --git a/oidc/src/test/java/oidc/endpoints/UserInfoEndpointTest.java b/oidc/src/test/java/oidc/endpoints/UserInfoEndpointTest.java
@@ -10,6 +10,7 @@
 import oidc.web.CustomErrorController;
 import org.junit.Test;
 import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
 
 import java.io.IOException;
 import java.text.ParseException;
@@ -32,6 +33,22 @@ public void postUserInfo() throws IOException {
         userInfo("POST");
     }
 
+    @Test
+    public void signingKeyNotFound() throws IOException {
+        String accessToken = getAccessToken();
+
+        signingKeyRepository.deleteAll();
+        sequenceRepository.updateSigningKeyId("test");
+
+        given()
+            .when()
+            .header("Content-type", "application/x-www-form-urlencoded")
+            .queryParams("access_token", accessToken)
+            .get("oidc/userinfo")
+            .then()
+            .statusCode(HttpStatus.UNAUTHORIZED.value());
+    }
+
     @Test
     public void userInfoExpired() throws IOException, ParseException {
         String token = getAccessToken();
@@ -132,4 +149,4 @@ private void assertResponse(Response response) {
         assertTrue(result.containsKey("sub"));
         assertTrue(result.containsKey("acr"));
     }
-}
+}
