Skip to content

OAuth2 ClientRegistrations NPE when UserInfo endpoint missing #8187

New issue
New issue
Closed
Closed
OAuth2 ClientRegistrations NPE when UserInfo endpoint missing#8187
Assignees
jgrandja
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
5.4.0-M1
@martinnemec3

Description

@martinnemec3
martinnemec3
opened on Mar 25, 2020

Summary

When using spring-security-oauth2-client to authenticate via an OIDC provider and using OIDC discovery protocol to autoconfigure client registrations there can happen a NPE during the application startup if the userinfo_endpoint is not present in the OIDC configuration response.

Actual Behavior

Doing a call of ClientRegistrations.fromIssuerLocation(String) with an URI of OIDC provider that misses 'userinfo_endpoint' property in it's openid-configuration json causes the NPE on the following line (according to a stack trace from a Spring Boot app):

https://github.com/spring-projects/spring-security/blob/5.2.2.RELEASE/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java#L151

The reason is that metadata.getUserInfoEndpointURI() returns null.

Expected Behavior

The ClientRegistrationBuilder is successfully returned from the fromIssuerLocation method.

Version

  • affected versions seem to be 5.2.2 and 5.3.0
  • there is no such issue in version 5.2.1

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions