Some OAuth providers do not comply with specs

[gburboz]

Summary

Accommodate popular social platforms that do not comply with OAuth 2.0 specs so that Spring Security OAuth is still usable with those providers. There should be feature available for some of the checks to be explicitly be relaxed at provider configuration.

In below cases, ability to explicitly configure default value when missing can help resolve the issue if client development team chooses to do so.

Error with LinkedIn due to missing token_type field in token response

Caused by: com.nimbusds.oauth2.sdk.ParseException: Missing JSON object member with key "token_type"
	at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:127)
	at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getString(JSONObjectUtils.java:263)
	at com.nimbusds.oauth2.sdk.token.BearerAccessToken.parse(BearerAccessToken.java:187)
	...
	at com.nimbusds.oauth2.sdk.TokenResponse.parse(TokenResponse.java:95)
	at org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient.getTokenResponse(NimbusAuthorizationCodeTokenResponseClient.java:101)
	...

Error with StackExchange/StackOverflow due to missing Content-Type header in token response

Caused by: com.nimbusds.oauth2.sdk.ParseException: The HTTP Content-Type header must be application/json; charset=UTF-8
	at com.nimbusds.oauth2.sdk.util.ContentTypeUtils.ensureContentType(ContentTypeUtils.java:52)
	...
	at com.nimbusds.oauth2.sdk.http.HTTPResponse.getContentAsJSONObject(HTTPResponse.java:369)
	at com.nimbusds.oauth2.sdk.AccessTokenResponse.parse(AccessTokenResponse.java:235)
	at com.nimbusds.oauth2.sdk.TokenResponse.parse(TokenResponse.java:95)
	at org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient.getTokenResponse(NimbusAuthorizationCodeTokenResponseClient.java:101)
	...

Actual Behavior

As per OAuth spec, current validations are being correctly performed, but that hinders our ability to connect with popular social platforms that do not comply.

Expected Behavior

There should be an explicit configuration option available to skip some of the validations to accommodate popular social platforms that do not comply. When option to skip is not set, it should provide error message of why there is non compliance with spec and how to manually override this compliance check using configuration

Version

Spring Security 5

Sample

Following popular social platforms do not comply with OAuth 2.0 and should be accommodate

1. LinkedIn does not send REQUIRED token_type field in token response
2. StackExchange/StackOverflow does not set content-type response header to "application/json" in token response

[jgrandja]

@gburboz I just submitted PR #5656 that will provide user's greater flexibility in controlling the processing of the Access Token Request and Access Token Response.

In the PR, take a look at DefaultAuthorizationCodeTokenResponseClient and AbstractOAuth2AccessTokenResponseClient, which you can extend from and override the necessary methods. You have the ability to customize headers and/or request parameters and even modify the request completely. You can also override response processing which is the use case you need - when token_type is not returned. Also, you don't need to extend/override and can instead provide a new instance of RestOperations via AbstractOAuth2AccessTokenResponseClient.setRestOperations() and modify the outgoing request or incoming response however you like using a ClientHttpRequestInterceptor.

I think this will give you the flexibility you need?

[gburboz]

Apologies for the delay but for me to be able to review your PR, I am trying to understand implementation of oauth2 modules for the first time in whatever spare time I am able to scavenge.

[jgrandja]

@gburboz I'm going to close this issue in favour of #6020.

Also, with the release of Spring Security 5.1, you can now customize the Token Request and/or Response. See the reference on how to do this.

These new extension points will allow you to get LinkedIn and StackExchange/StackOverflow working.

[gburboz]

To get this working for LinkedIn , functionality needs to be duplicated for OAuth2AccessToken, OAuth2AccessTokenResponse and OAuth2AccessTokenResponseHttpMessageConverter classes and to understand this it is required to step debug this whole flow.

Also, with the release of Spring Security 5.1, you can now customize the Token Request and/or Response. See the reference on how to do this.

These new extension points will allow you to get LinkedIn and StackExchange/StackOverflow working.

[jgrandja]

@gburboz In order to customize the Token Response, you only need to provide an implementation of Converter<Map<String, String>, OAuth2AccessTokenResponse> and configure DefaultAuthorizationCodeTokenResponseClient to use it. Check out this branch and specifically this custom config.