Consider making UserInfo request opt-in instead of default in Spring Security 7 #16843
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: breaks-passivity
A change that breaks passivity with the previous release
type: enhancement
A general enhancement
Milestone
Comments
sjohnr
added
in: oauth2
sjohnr
added
the
type: breaks-passivity
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
A UserInfo request isn't performed by default in OpenID Connect login (
oauth2Login()withopenidand any ofprofile,email,addressandphonescopes). A user should still be able to opt-in to calling the UserInfo endpoint to obtain additional claims for theOAuth2AuthenticationToken.Current Behavior
A UserInfo request is performed whenever the
ClientRegistration.providerDetails.userInfoEndpoint.uri(user-info-uriin Spring Boot properties) property is set, and any ofprofile,email,addressorphonescopes are requested withopenid.Context
It is currently possible to disable the UserInfo request by either setting the
user-info-uriproperty to blank, or callingOidcUserService#setShouldRetrieveUserInfo()with aPredicate<OidcUserRequest>. However, requesting UserInfo may not be required in most cases. It would be nice to default to not calling the UserInfo endpoint in Spring Security 7, which would reduce the number of requests made during login.Related gh-16340
The text was updated successfully, but these errors were encountered: