Getting error java.lang.IllegalArgumentException For Authorization Code flow with JDBCUserDetailService, JDBC Registered Client and JDBCAutjorization Service: The class with pk.training.basit.jpa.entity.UserPrincipal and name of pk.training.basit.jpa.entity.UserPrincipal is not in the allowlist.

[Basit-Mahmood]

Describe the bug
With JDBCUserDetailService, JdbcRegisteredClientRepository with AuthorizationGrantType.AUTHORIZATION_CODE and JdbcOAuth2AuthorizationConsentService. While fetching the token will result in following error

`java.lang.IllegalArgumentException: The class with pk.training.basit.jpa.entity.UserPrincipal and name of pk.training.basit.jpa.entity.UserPrincipal is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details

at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.parseMap(JdbcOAuth2AuthorizationService.java:441) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.mapRow(JdbcOAuth2AuthorizationService.java:337) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$OAuth2AuthorizationRowMapper.mapRow(JdbcOAuth2AuthorizationService.java:308) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:94) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.RowMapperResultSetExtractor.extractData(RowMapperResultSetExtractor.java:61) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate$1.doInPreparedStatement(JdbcTemplate.java:723) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.execute(JdbcTemplate.java:651) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:713) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:744) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.jdbc.core.JdbcTemplate.query(JdbcTemplate.java:799) ~[spring-jdbc-5.3.9.jar:5.3.9]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService.findBy(JdbcOAuth2AuthorizationService.java:257) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]
at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService.findByToken(JdbcOAuth2AuthorizationService.java:244) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]
at org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider.authenticate(OAuth2AuthorizationCodeAuthenticationProvider.java:114) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.5.1.jar:5.5.1]
at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter.doFilterInternal(OAuth2TokenEndpointFilter.java:164) ~[spring-security-oauth2-authorization-server-0.1.2.jar:0.1.2]`

To Reproduce

1. Setup a JDBCUserDetail Service.
2. Setup JdbcRegisteredClientRepository with RegisteredClient having AuthorizationGrantType.AUTHORIZATION_CODE
3. Setup JdbcOAuth2AuthorizationService
4. Try to get the token with Authorization Code flow.
5. The above mentioned error will occur.

Expected behavior
The token response should be generating fine

Sample

Ch1-09-SpringAuthorizationServer-0.1.2.zip

Ch1-08-SpringAuthorizationServer-0.1.1-ResourceServer.zip

Ch1-08-SpringAuthorizationServer-0.1.1-Client.zip

Attached are three projects. All are gradle projects. Should be imported fine in eclipse.

Change the database setting present in Ch1-09-SpringAuthorizationServer-0.1.2/src/main/resources/application.properties file

Run the database scripts present in Ch1-09-SpringAuthorizationServer-0.1.2/src/main/resources/database/scripts. This will create the table and enter the user in table.

All the urls are present in properties file application.properties for all three projects.

Run all three projects. When Ch1-09-SpringAuthorizationServer-0.1.2 will run. Registered client will enter in database. All projects will run on different ports. After running all the projects. Do the following

1. Open the url in browser http://127.0.0.1:8080/springauthorizationserverclient-0.1.1
2. Login with username user1 and password password
3. Three types will be presented. Authorization Code, Client Credentials and Password.
4. Click on Password. Proper response will come
5. Now click on Authorization Code.
6. In the browser Authorization Server Login page will open. Type username user1 and password password. (Please run the database script for this user as told above)
7. Error will occur.

In class org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider at line

OAuth2Authorization authorization = this.authorizationService.findByToken( authorizationCodeAuthentication.getCode(), AUTHORIZATION_CODE_TOKEN_TYPE);

Error generates. After getting the result from database.

Thanks

[jimrinhealthcare]

You should be able to add a mixin for your class as follows in your auth server config:

	@Bean
	public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate,
			RegisteredClientRepository registeredClientRepository) {
		JdbcOAuth2AuthorizationService service = new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
		JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper = new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
		
		ObjectMapper objectMapper = new ObjectMapper();
		ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader();
		List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
		objectMapper.registerModules(securityModules);
		objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
                // You will need to write the Mixin for your class so Jackson can marshall it.
		objectMapper.addMixIn(UserPrincipal .class, UserPrincipalMixin.class);
		rowMapper.setObjectMapper(objectMapper);
		service.setAuthorizationRowMapper(rowMapper);
		return service;
	}

I'd be interested to learn if there's a neater way though.

[jgrandja]

@jimrinhealthcare Thanks for providing the sample configuration !

@Basit-Mahmood Since pk.training.basit.jpa.entity.UserPrincipal is defined by your application, it needs to be explicitly configured in ObjectMapper. This sample configuration is exactly how you would go about configuring it along with your Mixin class.

[mdismaeel]

It is not clear why java.lang.Long is considered duplicate of this issue which is related to JDBCUserDetailService. Can you please let me know, if you are suggesting to write mixins for all JDK classes this way? Why doesn't default typing work for java.lang.Long?