Bug #16340: check username attribute when calling user.getName()

Author: jloisel

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java

@@ -69,8 +69,6 @@ public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map
 			String nameAttributeKey) {
 		Assert.notEmpty(attributes, "attributes cannot be empty");
 		Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
-		Assert.notNull(attributes.get(nameAttributeKey),
-				"Attribute value for '" + nameAttributeKey + "' cannot be null");
 
 		this.authorities = (authorities != null)
 				? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
@@ -81,7 +79,9 @@ public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map
 
 	@Override
 	public String getName() {
-		return this.getAttribute(this.nameAttributeKey).toString();
+		final Object name = attributes.get(nameAttributeKey);
+		Assert.notNull(name, "Attribute value for '" + nameAttributeKey + "' cannot be null");
+		return name.toString();
 	}
 
 	@Override

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java

@@ -61,9 +61,10 @@ public void constructorWhenAttributesIsEmptyThenThrowIllegalArgumentException()
 	}
 
 	@Test
-	public void constructorWhenAttributeValueIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES,
-				Collections.singletonMap(ATTRIBUTE_NAME_KEY, null), ATTRIBUTE_NAME_KEY));
+	public void getNameWhenAttributeValueIsNullThenThrowIllegalArgumentException() {
+		final DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES,
+				Collections.singletonMap(ATTRIBUTE_NAME_KEY, null), ATTRIBUTE_NAME_KEY);
+		assertThatIllegalArgumentException().isThrownBy(user::getName);
 	}
 
 	@Test
@@ -72,9 +73,10 @@ public void constructorWhenNameAttributeKeyIsNullThenThrowIllegalArgumentExcepti
 	}
 
 	@Test
-	public void constructorWhenNameAttributeKeyIsInvalidThenThrowIllegalArgumentException() {
+	public void getNameWhenNameAttributeKeyIsInvalidThenThrowIllegalArgumentException() {
+		final DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid");
 		assertThatIllegalArgumentException()
-			.isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid"));
+			.isThrownBy(user::getName);
 	}
 
 	@Test