Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs

The deserializer is updated to properly ignore unknown extensions. Closes gh-18643 Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
2026-05-22 21:33:16 +00:00 · 2026-03-15 12:33:28 +08:00
parent a7039fb3e6
commit e726c05e76
1 changed files with 5 additions and 6 deletions
@@ -56,11 +56,8 @@ class AuthenticationExtensionsClientOutputsDeserializer extends StdDeserializer<
 			throws IOException, JacksonException {
 		List<AuthenticationExtensionsClientOutput<?>> outputs = new ArrayList<>();
 		for (String key = parser.nextFieldName(); key != null; key = parser.nextFieldName()) {
-			JsonToken startObject = parser.nextValue();
-			if (startObject != JsonToken.START_OBJECT) {
-				break;
-			}
-			if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
+			JsonToken next = parser.nextToken();
+			if (next == JsonToken.START_OBJECT && CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
 				CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class);
 				outputs.add(output);
 			}
@@ -68,7 +65,9 @@ class AuthenticationExtensionsClientOutputsDeserializer extends StdDeserializer<
 				if (logger.isDebugEnabled()) {
 					logger.debug("Skipping unknown extension with id " + key);
 				}
-				parser.nextValue();
+				if (next.isStructStart()) {
+					parser.skipChildren();
+				}
 			}
 		}