I inherited an app that uses OAuth login via Spring Boot & Spring Security, and when I try to login with valid credentials, I get the following exception:
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_user_info_response]
at org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService.loadUser(OidcUserService.java:127)
at org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService.loadUser(OidcUserService.java:66)
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:156)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:195)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
...
The exception is thrown by this line, specifically when the following condition is met:
if (!userInfo.getSubject().equals(userRequest.getIdToken().getSubject()))
When debugging, I noticed that userInfo.getSubject() is returning "CORPO\MyUsername", where "MyUsername" is the user name I used to login, and userRequest.getIdToken().getSubject() is returning an 8 digit number, such as "12345678", which are not equal and hence the exception is thrown.
But I have also noticed that userInfo has a claim with name ssouid whose value is the exact same 8 digit number ("12345678" in our example).
Is this perhaps some configuration issue, or incompatibility of the OAuth server with my app?
My app uses Spring Boot 2.7.9 with spring-security-oauth2-client 5.7.7
EDIT: I've found out that the currently deployed version uses Spring Boot 2.4.4 and it works, so the error must've been caused by upgrading to 2.7.9
TL;DR: As a hotfix, downgrading spring-security-oauth2-client to version 5.7.5 helped, but that's not a definitive solution.
Explanation:
I was debugging to see difference between the old working version of spring-security-oauth2-client (5.4.4) and the new version(5.7.7).
The difference was, that method OidcUserService.shouldRetrieveUserInfo(...) in the old version returned false, which meant that the code which throws the exception didn't get executed.
The new version of the method returns true because of this line, which checks if the access token scopes are empty. The check was added in this commit, which is a part of version 5.7.6. That's why downgrading to version 5.7.5 solved my issue.
Also worth of noting is the fact that in the older version, the scopes were not empty like in the newer version. This is because of another commit, which changed the implementation of DefaultAuthorizationCodeTokenResponseClient. This commit was a part of version 5.7.4.
So my problem was caused by the combination of the two aforementioned commits. I'm still not sure whether this is a bug in Spring Security, or a configuration issue with the OAuth2 server which I'm connecting to.