Search code examples
javaspring-securityopenid-connect

Can't use Google Login in Spring Security

I'm trying to use Spring Security to enable Google Login to my application. I have the following configuration applied:


@Configuration
@EnableWebSecurity(debug=true)
public class SpringConfig {

    Logger logger = Logger.getLogger("MyLogger");

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http)  throws Exception {
        http
            .csrf(Customizer.withDefaults())
            .oauth2Login(Customizer.withDefaults())
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            );

        SecurityFilterChain chain = http.build();
        return chain;
    }

    
    private ClientRegistration googleClientRegistration() {
        
        return ClientRegistration.withRegistrationId("google")
            .clientId("yyy")
            .clientSecret("xxx")
            .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
            .issuerUri("https://accounts.google.com")
            .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
            .redirectUri("http://localhost:8080/app/login/oauth2/code/google")
            .scope("openid", "email", "profile")
            .tokenUri("https://oauth2.googleapis.com/token")
            .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
            .build();
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
    }

I've double-checked all the values. For some reason that I couldn't find out, I'm keep getting this error after authenticating to google:

[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json;charset=utf-8]

I've created a small python application that performs this OpenID Connect flow with simple requests, and it seems to be working just fine with these values exactly. What's wrong here?

Debugging

I've enabled javax.net.debug=all, I can see that the request to the access endpoint receives a valid reseponse, which include both the ID token and the Access token. The access token looks like this:

{
  "issued_to": "xxx.apps.googleusercontent.com",
  "audience": "xxx.apps.googleusercontent.com",
  "user_id": "xxx45",
  "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid",
  "expires_in": 2864,
  "email": "[email protected]",
  "verified_email": true,
  "access_type": "online"
}

It seems that the error message implies that this access token cannot be translated to an object of OAuth2AccessTokenResponse or something similar.

Can someone help?

Solution

  • Posted an issue in Spring Security's GitHub, and apparently I had to add a dependency in jackson:

    implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.2'

    I couldn't see this documented anywhere..