Skip to content

Remove notEmpty check for authorities in DefaultOAuth2User #9366

New issue
New issue
Closed
Closed
Remove notEmpty check for authorities in DefaultOAuth2User#9366
Assignees
mayur9991
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug
Milestone
5.5.0-M2
@mayur9991

Description

@mayur9991
mayur9991
opened on Jan 22, 2021

Describe the bug
Currently, DefaultOAuth2User constructor has a check to make sure that authorities parameter is not empty.

public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes, String nameAttributeKey) {
		Assert.notEmpty(authorities, "authorities cannot be empty");
		Assert.notEmpty(attributes, "attributes cannot be empty");
		Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
		if (!attributes.containsKey(nameAttributeKey)) {
			throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes");
		}
		this.authorities = Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)));
		this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
		this.nameAttributeKey = nameAttributeKey;
	}

This causes a problem when you have a custom authorities extractor and authorities list is empty for particular user.

java.lang.IllegalArgumentException: authorities cannot be empty
	at org.springframework.util.Assert.notEmpty(Assert.java:467)
	at org.springframework.security.oauth2.core.user.DefaultOAuth2User.<init>(DefaultOAuth2User.java:63)
	at org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser.<init>(DefaultOidcUser.java:89)
	at com.xebialabs.platform.sso.oidc.service.XLOidcUserService.loadUser(XLOidcUserService.java:33)
	at com.xebialabs.xlrelease.auth.oidc.service.XlrOidcUserService.loadUser(XlrOidcUserService.java:28)
	at com.xebialabs.xlrelease.auth.oidc.service.XlrOidcUserService.loadUser(XlrOidcUserService.java:16)
	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:174)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)

Expected behavior
The implementation should be more inline with other part of spring-security. For example DefaultOAuth2AuthenticatedPrincipal or AbstractAuthenticationToken which allows to have empty list.

DefaultOAuth2AuthenticatedPrincipal

public DefaultOAuth2AuthenticatedPrincipal(String name, Map<String, Object> attributes,
			Collection<GrantedAuthority> authorities) {

		Assert.notEmpty(attributes, "attributes cannot be empty");
		this.attributes = Collections.unmodifiableMap(attributes);
		this.authorities = authorities == null ?
				NO_AUTHORITIES : Collections.unmodifiableCollection(authorities);
		this.name = name == null ? (String) this.attributes.get("sub") : name;
	}

AbstractAuthenticationToken

public AbstractAuthenticationToken(Collection<? extends GrantedAuthority> authorities) {
		if (authorities == null) {
			this.authorities = AuthorityUtils.NO_AUTHORITIES;
			return;
		}

		for (GrantedAuthority a : authorities) {
			if (a == null) {
				throw new IllegalArgumentException(
						"Authorities collection cannot contain any null elements");
			}
		}
		ArrayList<GrantedAuthority> temp = new ArrayList<>(
				authorities.size());
		temp.addAll(authorities);
		this.authorities = Collections.unmodifiableList(temp);
	}

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions