From 9b05afdee83fb1e14bd02476ac97844abc35a70a Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Tue, 15 Jun 2021 15:03:51 -0500
Subject: [PATCH] Remove validation for unsupported grant types

Closes gh-9828
---
 .../registration/ClientRegistrations.java     |  8 -------
 .../ClientRegistrationsTests.java             | 24 +++++++++----------
 2 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
index 4262f34960..9c8822d658 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
@@ -23,7 +23,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.function.Supplier;
 
-import com.nimbusds.oauth2.sdk.GrantType;
 import com.nimbusds.oauth2.sdk.ParseException;
 import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
@@ -242,13 +241,6 @@ public final class ClientRegistrations {
 		String name = URI.create(issuer).getHost();
 		ClientAuthenticationMethod method = getClientAuthenticationMethod(issuer,
 				metadata.getTokenEndpointAuthMethods());
-		List<GrantType> grantTypes = metadata.getGrantTypes();
-		// If null, the default includes authorization_code
-		if (grantTypes != null && !grantTypes.contains(GrantType.AUTHORIZATION_CODE)) {
-			throw new IllegalArgumentException(
-					"Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer
-							+ "\" returned a configuration of " + grantTypes);
-		}
 		Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
 		// @formatter:off
 		return ClientRegistration.withRegistrationId(name)
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
index 9a537e0fa8..b31d308ffa 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java
@@ -240,24 +240,22 @@ public class ClientRegistrationsTests {
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 	}
 
-	/**
-	 * We currently only support authorization_code, so verify we have a meaningful error
-	 * until we add support.
-	 */
+	// gh-9828
 	@Test
-	public void issuerWhenGrantTypesSupportedInvalidThenException() {
+	public void issuerWhenImplicitGrantTypeThenSuccess() throws Exception {
 		this.response.put("grant_types_supported", Arrays.asList("implicit"));
-		assertThatIllegalArgumentException().isThrownBy(() -> registration(""))
-				.withMessageContaining("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \""
-						+ this.issuer + "\" returned a configuration of [implicit]");
+		ClientRegistration registration = registration("").build();
+		// The authorization_code grant type is still the default
+		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 	}
 
+	// gh-9828
 	@Test
-	public void issuerWhenOAuth2GrantTypesSupportedInvalidThenException() {
-		this.response.put("grant_types_supported", Arrays.asList("implicit"));
-		assertThatIllegalArgumentException().isThrownBy(() -> registrationOAuth2("", null))
-				.withMessageContaining("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \""
-						+ this.issuer + "\" returned a configuration of [implicit]");
+	public void issuerWhenOAuth2JwtBearerGrantTypeThenSuccess() throws Exception {
+		this.response.put("grant_types_supported", Arrays.asList("urn:ietf:params:oauth:grant-type:jwt-bearer"));
+		ClientRegistration registration = registrationOAuth2("", null).build();
+		// The authorization_code grant type is still the default
+		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 	}
 
 	@Test