Skip to content

Remove notEmpty check for authorities in DefaultOAuth2User #9366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mayur9991 opened this issue Jan 22, 2021 · 3 comments
Closed

Remove notEmpty check for authorities in DefaultOAuth2User #9366

mayur9991 opened this issue Jan 22, 2021 · 3 comments
Assignees
@mayur9991
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.5.0-M2

Comments

@mayur9991
Copy link
Contributor

Describe the bug
Currently, DefaultOAuth2User constructor has a check to make sure that authorities parameter is not empty.

public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes, String nameAttributeKey) {
		Assert.notEmpty(authorities, "authorities cannot be empty");
		Assert.notEmpty(attributes, "attributes cannot be empty");
		Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
		if (!attributes.containsKey(nameAttributeKey)) {
			throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes");
		}
		this.authorities = Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)));
		this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
		this.nameAttributeKey = nameAttributeKey;
	}

This causes a problem when you have a custom authorities extractor and authorities list is empty for particular user.

java.lang.IllegalArgumentException: authorities cannot be empty
	at org.springframework.util.Assert.notEmpty(Assert.java:467)
	at org.springframework.security.oauth2.core.user.DefaultOAuth2User.<init>(DefaultOAuth2User.java:63)
	at org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser.<init>(DefaultOidcUser.java:89)
	at com.xebialabs.platform.sso.oidc.service.XLOidcUserService.loadUser(XLOidcUserService.java:33)
	at com.xebialabs.xlrelease.auth.oidc.service.XlrOidcUserService.loadUser(XlrOidcUserService.java:28)
	at com.xebialabs.xlrelease.auth.oidc.service.XlrOidcUserService.loadUser(XlrOidcUserService.java:16)
	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:174)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)

Expected behavior
The implementation should be more inline with other part of spring-security. For example DefaultOAuth2AuthenticatedPrincipal or AbstractAuthenticationToken which allows to have empty list.

DefaultOAuth2AuthenticatedPrincipal

public DefaultOAuth2AuthenticatedPrincipal(String name, Map<String, Object> attributes,
			Collection<GrantedAuthority> authorities) {

		Assert.notEmpty(attributes, "attributes cannot be empty");
		this.attributes = Collections.unmodifiableMap(attributes);
		this.authorities = authorities == null ?
				NO_AUTHORITIES : Collections.unmodifiableCollection(authorities);
		this.name = name == null ? (String) this.attributes.get("sub") : name;
	}

AbstractAuthenticationToken

public AbstractAuthenticationToken(Collection<? extends GrantedAuthority> authorities) {
		if (authorities == null) {
			this.authorities = AuthorityUtils.NO_AUTHORITIES;
			return;
		}

		for (GrantedAuthority a : authorities) {
			if (a == null) {
				throw new IllegalArgumentException(
						"Authorities collection cannot contain any null elements");
			}
		}
		ArrayList<GrantedAuthority> temp = new ArrayList<>(
				authorities.size());
		temp.addAll(authorities);
		this.authorities = Collections.unmodifiableList(temp);
	}
@mayur9991 mayur9991 added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 22, 2021
@jgrandja
Copy link
Contributor

@mayur9991 Would you be interested in submitting an update for this?

@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 26, 2021
@jgrandja jgrandja added this to the 5.5.0-M2 milestone Jan 26, 2021
@mayur9991
Copy link
Contributor Author

@jgrandja Yes, I can do it! I will open a pull request.

mayur9991 added a commit to mayur9991/spring-security that referenced this issue Jan 27, 2021
@mayur9991
Allow null or empty authorities
71e8c3e 
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes spring-projectsgh-9366
@mayur9991 mayur9991 mentioned this issue Jan 27, 2021
Closed
@mayur9991
Copy link
Contributor Author

@jgrandja Pull request is now there for review. Can we also backport this to previous version?

@jgrandja jgrandja assigned mayur9991 and unassigned jgrandja Feb 2, 2021
@jgrandja jgrandja added type: bug A general bug for: backport-to-5.4.x and removed type: enhancement A general enhancement labels Feb 2, 2021
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.4.x labels Feb 2, 2021
Closed
Closed
Closed
jgrandja pushed a commit that referenced this issue Feb 2, 2021
@mayur9991 @jgrandja
Allow null or empty authorities for DefaultOAuth2User
fc24c79 
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
jgrandja added a commit that referenced this issue Feb 2, 2021
@jgrandja
Allow null or empty authorities for DefaultOAuth2User
e7acd12 
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
jgrandja added a commit that referenced this issue Feb 2, 2021
@jgrandja
Allow null or empty authorities for DefaultOAuth2User
542c625 
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mayur9991 mayur9991

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.5.0-M2
Development

Successfully merging a pull request may close this issue.

Allow null or empty authorities for DefaultOAuth2User mayur9991/spring-security
3 participants
@mayur9991 @jgrandja @spring-projects-issues