sjohnr
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcConfigurer.java
+17-1 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcConfigurer.java
+17-1
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoEndpointConfigurer.java
+118 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoEndpointConfigurer.java
+118
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/http/converter/OidcUserInfoHttpMessageConverter.java
+171 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/http/converter/OidcUserInfoHttpMessageConverter.java
+171
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/ConfigurationSettingNames.java
+5 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/ConfigurationSettingNames.java
+5
@@ -40,13 +40,15 @@
  */
 public final class OidcConfigurer extends AbstractOAuth2Configurer {
 	private OidcClientRegistrationEndpointConfigurer clientRegistrationEndpointConfigurer;
+	private final OidcUserInfoEndpointConfigurer userInfoEndpointConfigurer;
 	private RequestMatcher requestMatcher;
 
 	/**
 	 * Restrict for internal use only.
 	 */
 	OidcConfigurer(ObjectPostProcessor<Object> objectPostProcessor) {
 		super(objectPostProcessor);
+		this.userInfoEndpointConfigurer = new OidcUserInfoEndpointConfigurer(objectPostProcessor);
 	}
 
 	/**
@@ -63,11 +65,23 @@ public OidcConfigurer clientRegistrationEndpoint(Customizer<OidcClientRegistrati
 		return this;
 	}
 
+	/**
+	 * Configures the OAuth 2.0 Protected Resource UserInfo Endpoint.
+	 *
+	 * @param userInfoEndpointCustomizer the {@link Customizer} providing access to the {@link OidcUserInfoEndpointConfigurer}
+	 * @return the {@link OidcConfigurer} for further configuration
+	 */
+	public OidcConfigurer userInfoEndpoint(Customizer<OidcUserInfoEndpointConfigurer> userInfoEndpointCustomizer) {
+		userInfoEndpointCustomizer.customize(this.userInfoEndpointConfigurer);
+		return this;
+	}
+
 	@Override
 	<B extends HttpSecurityBuilder<B>> void init(B builder) {
 		if (this.clientRegistrationEndpointConfigurer != null) {
 			this.clientRegistrationEndpointConfigurer.init(builder);
 		}
+		this.userInfoEndpointConfigurer.init(builder);
 
 		List<RequestMatcher> requestMatchers = new ArrayList<>();
 		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
@@ -78,14 +92,16 @@ <B extends HttpSecurityBuilder<B>> void init(B builder) {
 		if (this.clientRegistrationEndpointConfigurer != null) {
 			requestMatchers.add(this.clientRegistrationEndpointConfigurer.getRequestMatcher());
 		}
-		this.requestMatcher = !requestMatchers.isEmpty() ? new OrRequestMatcher(requestMatchers) : request -> false;
+		requestMatchers.add(this.userInfoEndpointConfigurer.getRequestMatcher());
+		this.requestMatcher = requestMatchers.size() > 1 ? new OrRequestMatcher(requestMatchers) : requestMatchers.get(0);
 	}
 
 	@Override
 	<B extends HttpSecurityBuilder<B>> void configure(B builder) {
 		if (this.clientRegistrationEndpointConfigurer != null) {
 			this.clientRegistrationEndpointConfigurer.configure(builder);
 		}
+		this.userInfoEndpointConfigurer.configure(builder);
 
 		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
 		if (providerSettings.getIssuer() != null) {
 
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;
+
+import java.util.function.Function;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+/**
+ * Configurer for OAuth 2.0 Protected Resource UserInfo Endpoint.
+ *
+ * @author Steve Riesenberg
+ * @since 0.2.1
+ * @see OidcConfigurer#userInfoEndpoint
+ * @see OidcUserInfoEndpointFilter
+ */
+public final class OidcUserInfoEndpointConfigurer extends AbstractOAuth2Configurer {
+	private RequestMatcher requestMatcher;
+	private AuthenticationConverter authenticationConverter;
+	private Function<Authentication, OidcUserInfo> userInfoMapper;
+
+	/**
+	 * Restrict for internal use only.
+	 */
+	OidcUserInfoEndpointConfigurer(ObjectPostProcessor<Object> objectPostProcessor) {
+		super(objectPostProcessor);
+	}
+
+	/**
+	 * Sets the {@link AuthenticationConverter} used when attempting to extract a bearer token from {@link HttpServletRequest}
+	 * to an instance of {@link OidcUserInfoAuthenticationToken} used for authenticating the request.
+	 *
+	 * @param authenticationConverter the {@link AuthenticationConverter} used when attempting to extract a bearer token from {@link HttpServletRequest}
+	 * @return the {@link OidcUserInfoEndpointConfigurer} for further configuration
+	 */
+	public OidcUserInfoEndpointConfigurer authenticationConverter(AuthenticationConverter authenticationConverter) {
+		this.authenticationConverter = authenticationConverter;
+		return this;
+	}
+
+	/**
+	 * Sets the {@link Function} used to extract claims from an {@link Authentication}
+	 * to an instance of {@link OidcUserInfo}.
+	 *
+	 * @param userInfoMapper the {@link Function} used to extract claims from an {@link Authentication} to an instance of {@link OidcUserInfo}
+	 * @return the {@link OidcUserInfoEndpointConfigurer} for further configuration
+	 */
+	public OidcUserInfoEndpointConfigurer userInfoMapper(Function<Authentication, OidcUserInfo> userInfoMapper) {
+		this.userInfoMapper = userInfoMapper;
+		return this;
+	}
+
+	@Override
+	<B extends HttpSecurityBuilder<B>> void init(B builder) {
+		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
+		String userInfoEndpointUri = providerSettings.getOidcUserInfoEndpoint();
+		this.requestMatcher = new OrRequestMatcher(
+				new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.GET.name()),
+				new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.POST.name()));
+
+		OidcUserInfoAuthenticationProvider oidcUserInfoAuthenticationProvider =
+				new OidcUserInfoAuthenticationProvider(
+						OAuth2ConfigurerUtils.getAuthorizationService(builder));
+		builder.authenticationProvider(postProcess(oidcUserInfoAuthenticationProvider));
+	}
+
+	@Override
+	<B extends HttpSecurityBuilder<B>> void configure(B builder) {
+		AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
+		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
+
+		OidcUserInfoEndpointFilter oidcUserInfoEndpointFilter =
+				new OidcUserInfoEndpointFilter(
+						authenticationManager,
+						providerSettings.getOidcUserInfoEndpoint());
+		if (this.authenticationConverter != null) {
+			oidcUserInfoEndpointFilter.setAuthenticationConverter(this.authenticationConverter);
+		}
+		if (this.userInfoMapper != null) {
+			oidcUserInfoEndpointFilter.setUserInfoMapper(this.userInfoMapper);
+		}
+		builder.addFilterAfter(postProcess(oidcUserInfoEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
+	}
+
+	@Override
+	RequestMatcher getRequestMatcher() {
+		return this.requestMatcher;
+	}
+}
@@ -0,0 +1,171 @@
+/*
+ * Copyright 2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core.oidc.http.converter;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.springframework.core.ParameterizedTypeReference;
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.AbstractHttpMessageConverter;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.security.oauth2.core.converter.ClaimConversionService;
+import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
+import org.springframework.util.Assert;
+
+/**
+ * A {@link HttpMessageConverter} for an {@link OidcUserInfo OAuth 2.0 Protected Resource UserInfo Response}.
+ *
+ * @author Steve Riesenberg
+ * @since 0.2.1
+ * @see AbstractHttpMessageConverter
+ * @see OidcUserInfo
+ */
+public class OidcUserInfoHttpMessageConverter extends AbstractHttpMessageConverter<OidcUserInfo> {
+
+	private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP =
+			new ParameterizedTypeReference<Map<String, Object>>() {};
+
+	private final GenericHttpMessageConverter<Object> jsonMessageConverter =
+			HttpMessageConverters.getJsonMessageConverter();
+
+	private Converter<Map<String, Object>, OidcUserInfo> userInfoConverter = new OidcUserInfoConverter();
+	private Converter<OidcUserInfo, Map<String, Object>> userInfoParametersConverter = OidcUserInfo::getClaims;
+
+	public OidcUserInfoHttpMessageConverter() {
+		super(MediaType.APPLICATION_JSON, new MediaType("application", "*+json"));
+	}
+
+	@Override
+	protected boolean supports(Class<?> clazz) {
+		return OidcUserInfo.class.isAssignableFrom(clazz);
+	}
+
+	@Override
+	@SuppressWarnings("unchecked")
+	protected OidcUserInfo readInternal(Class<? extends OidcUserInfo> clazz, HttpInputMessage inputMessage)
+			throws HttpMessageNotReadableException {
+		try {
+			Map<String, Object> userInfoParameters =
+					(Map<String, Object>) this.jsonMessageConverter.read(STRING_OBJECT_MAP.getType(), null, inputMessage);
+			return this.userInfoConverter.convert(userInfoParameters);
+		} catch (Exception ex) {
+			throw new HttpMessageNotReadableException(
+					"An error occurred reading the UserInfo: " + ex.getMessage(), ex, inputMessage);
+		}
+	}
+
+	@Override
+	protected void writeInternal(OidcUserInfo oidcUserInfo, HttpOutputMessage outputMessage)
+			throws HttpMessageNotWritableException {
+		try {
+			Map<String, Object> userInfoResponseParameters =
+					this.userInfoParametersConverter.convert(oidcUserInfo);
+			this.jsonMessageConverter.write(
+					userInfoResponseParameters,
+					STRING_OBJECT_MAP.getType(),
+					MediaType.APPLICATION_JSON,
+					outputMessage
+			);
+		} catch (Exception ex) {
+			throw new HttpMessageNotWritableException(
+					"An error occurred writing the OAuth 2.0 Protected Resource UserInfo response: " + ex.getMessage(), ex);
+		}
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the UserInfo parameters
+	 * to an {@link OidcUserInfo}.
+	 *
+	 * @param userInfoConverter the {@link Converter} used for converting to an
+	 * {@link OidcUserInfo}
+	 */
+	public final void setUserInfoConverter(Converter<Map<String, Object>, OidcUserInfo> userInfoConverter) {
+		Assert.notNull(userInfoConverter, "userInfoConverter cannot be null");
+		this.userInfoConverter = userInfoConverter;
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the {@link OidcUserInfo} to a
+	 * {@code Map} representation of the UserInfo.
+	 *
+	 * @param userInfoParametersConverter the {@link Converter} used for converting to a
+	 * {@code Map} representation of the UserInfo
+	 */
+	public final void setUserInfoParametersConverter(
+			Converter<OidcUserInfo, Map<String, Object>> userInfoParametersConverter) {
+		Assert.notNull(userInfoParametersConverter, "oidcUserInfoParametersConverter cannot be null");
+		this.userInfoParametersConverter = userInfoParametersConverter;
+	}
+
+	private static final class OidcUserInfoConverter implements Converter<Map<String, Object>, OidcUserInfo> {
+		private static final ClaimConversionService CLAIM_CONVERSION_SERVICE = ClaimConversionService.getSharedInstance();
+		private static final TypeDescriptor OBJECT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Object.class);
+		private static final TypeDescriptor BOOLEAN_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Boolean.class);
+		private static final TypeDescriptor STRING_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(String.class);
+		private static final TypeDescriptor STRING_OBJECT_MAP_DESCRIPTOR = TypeDescriptor.map(Map.class, STRING_TYPE_DESCRIPTOR, OBJECT_TYPE_DESCRIPTOR);
+		private final ClaimTypeConverter claimTypeConverter;
+
+		private OidcUserInfoConverter() {
+			Converter<Object, ?> stringConverter = getConverter(STRING_TYPE_DESCRIPTOR);
+			Converter<Object, ?> booleanConverter = getConverter(BOOLEAN_TYPE_DESCRIPTOR);
+			Converter<Object, ?> mapConverter = getConverter(STRING_OBJECT_MAP_DESCRIPTOR);
+
+			Map<String, Converter<Object, ?>> claimConverters = new HashMap<>();
+			claimConverters.put(StandardClaimNames.SUB, stringConverter);
+			claimConverters.put(StandardClaimNames.NAME, stringConverter);
+			claimConverters.put(StandardClaimNames.GIVEN_NAME, stringConverter);
+			claimConverters.put(StandardClaimNames.FAMILY_NAME, stringConverter);
+			claimConverters.put(StandardClaimNames.MIDDLE_NAME, stringConverter);
+			claimConverters.put(StandardClaimNames.NICKNAME, stringConverter);
+			claimConverters.put(StandardClaimNames.PREFERRED_USERNAME, stringConverter);
+			claimConverters.put(StandardClaimNames.PROFILE, stringConverter);
+			claimConverters.put(StandardClaimNames.PICTURE, stringConverter);
+			claimConverters.put(StandardClaimNames.WEBSITE, stringConverter);
+			claimConverters.put(StandardClaimNames.EMAIL, stringConverter);
+			claimConverters.put(StandardClaimNames.EMAIL_VERIFIED, booleanConverter);
+			claimConverters.put(StandardClaimNames.GENDER, stringConverter);
+			claimConverters.put(StandardClaimNames.BIRTHDATE, stringConverter);
+			claimConverters.put(StandardClaimNames.ZONEINFO, stringConverter);
+			claimConverters.put(StandardClaimNames.LOCALE, stringConverter);
+			claimConverters.put(StandardClaimNames.PHONE_NUMBER, stringConverter);
+			claimConverters.put(StandardClaimNames.PHONE_NUMBER_VERIFIED, booleanConverter);
+			claimConverters.put(StandardClaimNames.ADDRESS, mapConverter);
+			claimConverters.put(StandardClaimNames.UPDATED_AT, stringConverter);
+
+			this.claimTypeConverter = new ClaimTypeConverter(claimConverters);
+		}
+
+		@Override
+		public OidcUserInfo convert(Map<String, Object> source) {
+			Map<String, Object> parsedClaims = this.claimTypeConverter.convert(source);
+			return new OidcUserInfo(parsedClaims);
+		}
+
+		private static Converter<Object, ?> getConverter(TypeDescriptor targetDescriptor) {
+			return (source) -> CLAIM_CONVERSION_SERVICE.convert(source, OBJECT_TYPE_DESCRIPTOR, targetDescriptor);
+		}
+	}
+}
@@ -94,6 +94,11 @@ public static final class Provider {
 		 */
 		public static final String OIDC_CLIENT_REGISTRATION_ENDPOINT = PROVIDER_SETTINGS_NAMESPACE.concat("oidc-client-registration-endpoint");
 
+		/**
+		 * Set the Provider's OAuth 2.0 Protected Resource UserInfo endpoint.
+		 */
+		public static final String OIDC_USER_INFO_ENDPOINT = PROVIDER_SETTINGS_NAMESPACE.concat("oidc-user-info-endpoint");
+
 		private Provider() {
 		}