From fde26e003a648a670be40c690a028970f0d1137b Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Tue, 8 Nov 2022 12:24:25 -0600 Subject: [PATCH] Request user info when AS returns no scopes Closes gh-12144 --- .../client/oidc/userinfo/OidcUserService.java | 6 +++++ .../oidc/userinfo/OidcUserServiceTests.java | 26 +++++++++++++++++-- .../TestOAuth2AccessTokenResponses.java | 5 +++- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java index 31f181213a..0f543f69a7 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java @@ -173,8 +173,14 @@ public class OidcUserService implements OAuth2UserService authorities = user.getAuthorities().iterator(); assertThat(authorities.next()).isInstanceOf(OidcUserAuthority.class); } + @Test + public void loadUserWhenTokenDoesNotContainScopesAndUserInfoUriThenUserInfoRequested() { + // @formatter:off + String userInfoResponse = "{\n" + + " \"sub\": \"subject1\",\n" + + " \"name\": \"first last\",\n" + + " \"given_name\": \"first\",\n" + + " \"family_name\": \"last\",\n" + + " \"preferred_username\": \"user1\",\n" + + " \"email\": \"user1@example.com\"\n" + + "}\n"; + // @formatter:on + this.server.enqueue(jsonResponse(userInfoResponse)); + String userInfoUri = this.server.url("/user").toString(); + ClientRegistration clientRegistration = this.clientRegistrationBuilder.userInfoUri(userInfoUri).build(); + OidcUserService userService = new OidcUserService(); + OidcUserRequest request = new OidcUserRequest(clientRegistration, TestOAuth2AccessTokens.noScopes(), + this.idToken); + OidcUser user = userService.loadUser(request); + assertThat(user.getUserInfo()).isNotNull(); + } + private MockResponse jsonResponse(String json) { // @formatter:off return new MockResponse() diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AccessTokenResponses.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AccessTokenResponses.java index f952ff4bd5..dbe4e533e6 100644 --- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AccessTokenResponses.java +++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/TestOAuth2AccessTokenResponses.java @@ -16,10 +16,12 @@ package org.springframework.security.oauth2.core.endpoint; +import java.util.Collections; import java.util.HashMap; import java.util.Map; import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames; /** @@ -42,7 +44,8 @@ public final class TestOAuth2AccessTokenResponses { public static OAuth2AccessTokenResponse.Builder oidcAccessTokenResponse() { Map additionalParameters = new HashMap<>(); additionalParameters.put(OidcParameterNames.ID_TOKEN, "id-token"); - return accessTokenResponse().additionalParameters(additionalParameters); + return accessTokenResponse().scopes(Collections.singleton(OidcScopes.OPENID)) + .additionalParameters(additionalParameters); } }