Merge Fix Jackson Deserializer for AuthenticationExtensionsClientOutputs

rwinch · web-flow · commit d174b10f2af0 · 2026-03-16T12:07:49.000-04:00
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java
@@ -55,19 +55,18 @@ public AuthenticationExtensionsClientOutputs deserialize(JsonParser parser, Dese
 			throws JacksonException {
 		List<AuthenticationExtensionsClientOutput<?>> outputs = new ArrayList<>();
 		for (String key = parser.nextName(); key != null; key = parser.nextName()) {
-			JsonToken startObject = parser.nextValue();
-			if (startObject != JsonToken.START_OBJECT) {
-				break;
-			}
-			if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
+			JsonToken next = parser.nextToken();
+			if (next == JsonToken.START_OBJECT && CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
 				CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class);
 				outputs.add(output);
 			}
 			else {
 				if (logger.isDebugEnabled()) {
 					logger.debug("Skipping unknown extension with id " + key);
 				}
-				parser.nextValue();
+				if (next.isStructStart()) {
+					parser.skipChildren();
+				}
 			}
 		}
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Deserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Deserializer.java
@@ -62,19 +62,18 @@ public AuthenticationExtensionsClientOutputs deserialize(JsonParser parser, Dese
 			throws IOException, JacksonException {
 		List<AuthenticationExtensionsClientOutput<?>> outputs = new ArrayList<>();
 		for (String key = parser.nextFieldName(); key != null; key = parser.nextFieldName()) {
-			JsonToken startObject = parser.nextValue();
-			if (startObject != JsonToken.START_OBJECT) {
-				break;
-			}
-			if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
+			JsonToken next = parser.nextToken();
+			if (next == JsonToken.START_OBJECT && CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
 				CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class);
 				outputs.add(output);
 			}
 			else {
 				if (logger.isDebugEnabled()) {
 					logger.debug("Skipping unknown extension with id " + key);
 				}
-				parser.nextValue();
+				if (next.isStructStart()) {
+					parser.skipChildren();
+				}
 			}
 		}
 
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java
@@ -123,6 +123,47 @@ void readCredPropsWhenAuthenticatorDisplayName() throws Exception {
 		assertThat(outputs).usingRecursiveComparison().isEqualTo(credProps);
 	}
 
+	@Test
+	void readAuthenticationExtensionsClientOutputsWhenAppId() throws Exception {
+		String json = """
+				{
+				  "appid": false,
+				  "credProps": {
+				    "rk": false
+				  }
+				}
+				""";
+		CredentialPropertiesOutput credProps = new CredentialPropertiesOutput(false);
+
+		AuthenticationExtensionsClientOutputs outputs = this.mapper.readValue(json,
+				AuthenticationExtensionsClientOutputs.class);
+		assertThat(outputs.getOutputs()).usingRecursiveFieldByFieldElementComparator().contains(credProps);
+	}
+
+	@Test
+	void readAuthenticationExtensionsClientOutputsWhenUnknownExtension() throws Exception {
+		String json = """
+				{
+				  "unknownObject1": {
+				    "key": "value"
+				  },
+				  "unknownArray": [
+				    { "key": "value1" },
+				    { "key": "value2" }
+				  ],
+				  "credProps": {
+				    "rk": false
+				  },
+				  "unknownObject2": {}
+				}
+				""";
+		CredentialPropertiesOutput credProps = new CredentialPropertiesOutput(false);
+
+		AuthenticationExtensionsClientOutputs outputs = this.mapper.readValue(json,
+				AuthenticationExtensionsClientOutputs.class);
+		assertThat(outputs.getOutputs()).usingRecursiveFieldByFieldElementComparator().contains(credProps);
+	}
+
 	@Test
 	void readAuthenticationExtensionsClientOutputsWhenFieldAfter() throws Exception {
 		String json = """
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
@@ -121,6 +121,47 @@ void readCredPropsWhenAuthenticatorDisplayName() throws Exception {
 		assertThat(outputs).usingRecursiveComparison().isEqualTo(credProps);
 	}
 
+	@Test
+	void readAuthenticationExtensionsClientOutputsWhenAppId() {
+		String json = """
+				{
+				  "appid": false,
+				  "credProps": {
+				    "rk": false
+				  }
+				}
+				""";
+		CredentialPropertiesOutput credProps = new CredentialPropertiesOutput(false);
+
+		AuthenticationExtensionsClientOutputs outputs = this.mapper.readValue(json,
+				AuthenticationExtensionsClientOutputs.class);
+		assertThat(outputs.getOutputs()).usingRecursiveFieldByFieldElementComparator().contains(credProps);
+	}
+
+	@Test
+	void readAuthenticationExtensionsClientOutputsWhenUnknownExtension() {
+		String json = """
+				{
+				  "unknownObject1": {
+				    "key": "value"
+				  },
+				  "unknownArray": [
+				    { "key": "value1" },
+				    { "key": "value2" }
+				  ],
+				  "credProps": {
+				    "rk": false
+				  },
+				  "unknownObject2": {}
+				}
+				""";
+		CredentialPropertiesOutput credProps = new CredentialPropertiesOutput(false);
+
+		AuthenticationExtensionsClientOutputs outputs = this.mapper.readValue(json,
+				AuthenticationExtensionsClientOutputs.class);
+		assertThat(outputs.getOutputs()).usingRecursiveFieldByFieldElementComparator().contains(credProps);
+	}
+
 	@Test
 	void readAuthenticationExtensionsClientOutputsWhenFieldAfter() throws Exception {
 		String json = """

Original file line number	Diff line number	Diff line change
`@@ -55,19 +55,18 @@ public AuthenticationExtensionsClientOutputs deserialize(JsonParser parser, Dese`
`55`	`55`	`throws JacksonException {`
`56`	`56`	`List<AuthenticationExtensionsClientOutput<?>> outputs = new ArrayList<>();`
`57`	`57`	`for (String key = parser.nextName(); key != null; key = parser.nextName()) {`
`58`		`- JsonToken startObject = parser.nextValue();`
`59`		`- if (startObject != JsonToken.START_OBJECT) {`
`60`		`- break;`
`61`		`- }`
`62`		`- if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {`
	`58`	`+ JsonToken next = parser.nextToken();`
	`59`	`+ if (next == JsonToken.START_OBJECT && CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {`
`63`	`60`	`CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class);`
`64`	`61`	`outputs.add(output);`
`65`	`62`	`}`
`66`	`63`	`else {`
`67`	`64`	`if (logger.isDebugEnabled()) {`
`68`	`65`	`logger.debug("Skipping unknown extension with id " + key);`
`69`	`66`	`}`
`70`		`- parser.nextValue();`
	`67`	`+ if (next.isStructStart()) {`
	`68`	`+ parser.skipChildren();`
	`69`	`+ }`
`71`	`70`	`}`
`72`	`71`	`}`
`73`	`72`
Original file line number	Diff line number	Diff line change
`@@ -62,19 +62,18 @@ public AuthenticationExtensionsClientOutputs deserialize(JsonParser parser, Dese`
`62`	`62`	`throws IOException, JacksonException {`
`63`	`63`	`List<AuthenticationExtensionsClientOutput<?>> outputs = new ArrayList<>();`
`64`	`64`	`for (String key = parser.nextFieldName(); key != null; key = parser.nextFieldName()) {`
`65`		`- JsonToken startObject = parser.nextValue();`
`66`		`- if (startObject != JsonToken.START_OBJECT) {`
`67`		`- break;`
`68`		`- }`
`69`		`- if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {`
	`65`	`+ JsonToken next = parser.nextToken();`
	`66`	`+ if (next == JsonToken.START_OBJECT && CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {`
`70`	`67`	`CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class);`
`71`	`68`	`outputs.add(output);`
`72`	`69`	`}`
`73`	`70`	`else {`
`74`	`71`	`if (logger.isDebugEnabled()) {`
`75`	`72`	`logger.debug("Skipping unknown extension with id " + key);`
`76`	`73`	`}`
`77`		`- parser.nextValue();`
	`74`	`+ if (next.isStructStart()) {`
	`75`	`+ parser.skipChildren();`
	`76`	`+ }`
`78`	`77`	`}`
`79`	`78`	`}`
`80`	`79`