OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187
Assignees
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: backported
An issue that has been backported to maintenance branches
type: bug
A general bug
Milestone
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thank you for reporting this @martinnemec3. This is indeed a bug. Would you be interested in submitting a PR for this fix? |
jgrandja
added
in: oauth2
martinnemec3
pushed a commit
to martinnemec3/spring-security
that referenced
this issue
Mar 26, 2020
jgrandja
removed
the
status: ideal-for-contribution
jgrandja
changed the title
spring-projects-issues
added
status: backported
jgrandja
pushed a commit
that referenced
this issue
Mar 27, 2020
jgrandja
pushed a commit
that referenced
this issue
Mar 27, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
When using spring-security-oauth2-client to authenticate via an OIDC provider and using OIDC discovery protocol to autoconfigure client registrations there can happen a NPE during the application startup if the userinfo_endpoint is not present in the OIDC configuration response.
Actual Behavior
Doing a call of
ClientRegistrations.fromIssuerLocation(String)with an URI of OIDC provider that misses 'userinfo_endpoint' property in it's openid-configuration json causes the NPE on the following line (according to a stack trace from a Spring Boot app):https://github.com/spring-projects/spring-security/blob/5.2.2.RELEASE/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java#L151
The reason is that
metadata.getUserInfoEndpointURI()returns null.Expected Behavior
The ClientRegistrationBuilder is successfully returned from the
fromIssuerLocationmethod.Version
The text was updated successfully, but these errors were encountered: