Skip to content

Improve error message when invalid content-type for UserInfo response #8764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sachin21jan opened this issue Jun 26, 2020 · 6 comments
Closed

Improve error message when invalid content-type for UserInfo response #8764

sachin21jan opened this issue Jun 26, 2020 · 6 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.4.0-RC1

Comments

@sachin21jan
Copy link

Summary

Adding scope: https://www.googleapis.com/auth/contacts.readonly to google oauth2 login generating following exception -

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map<java.lang.String, java.lang.Object>] and content type [text/plain]

Actual Behavior

I am able to authenticate and authorize user without giving any scope but as soon as I add scope: https://www.googleapis.com/auth/contacts.readonly in application.yml, its throwing Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map<java.lang.String, java.lang.Object>] and content type [text/plain] exception.

Expected Behavior

It shouldnt have thrown the exception

Configuration

application.yml
oauth2:
client:
registration:
google:
client-id: <>
client-secret: <>
scope: https://www.googleapis.com/auth/contacts.readonly
provider:
google:
user-info-uri: https://www.googleapis.com/auth/contacts.readonly?alt=json

Version

I am using Spring boot 2.3.0.RELEASE and Spring security 5.3.2.RELEASE
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 26, 2020
@eleftherias
Copy link
Contributor

It looks like you have posted this question on StackOverflow, so let's continue the discussion there.
As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

@eleftherias eleftherias self-assigned this Jun 26, 2020
@eleftherias eleftherias added for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 26, 2020
@sachin21jan
Copy link
Author

@eleftherias I have opened this issue over here because it looks like a potential bug to me as I havent added much of my code. If you run the sample provided https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2login#google-login and add the scope you will get this error. Anything you can do to fix this error or possible workaround will be appreciated because I am kind of blocked on this.

@eleftherias
Copy link
Contributor

@sachin21jan I have reopened this issue and we will take another look at it.

@eleftherias eleftherias reopened this Jul 1, 2020
@eleftherias eleftherias added status: waiting-for-triage An issue we've not yet triaged and removed for: stackoverflow A question that's better suited to stackoverflow.com labels Jul 1, 2020
@eleftherias eleftherias assigned jgrandja and unassigned eleftherias Jul 1, 2020
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 2, 2020
@jgrandja
Copy link
Contributor

jgrandja commented Jul 2, 2020

@sachin21jan The issue here is a misconfiguration in application.yml.

Given your application.yml the redirect-uri will default to {baseUrl}/{action}/oauth2/code/{registrationId} using CommonOAuth2Provider.GOOGLE. oauth2Login() matches on the path {baseUrl}/{action}/oauth2/code/{registrationId} so this flow is in effect and it will attempt to call the UserInfo Endpoint to obtain claims (attributes) about the currently authenticated user.

However, the user-info-uri is configured with https://www.googleapis.com/auth/contacts.readonly?alt=json, which is the Google Contacts API and does not conform to the UserInfo Endpoint as specified in the spec. The UserInfo Endpoint for Google should be configured with https://www.googleapis.com/oauth2/v3/userinfo.

I would encourage you to go through the reference doc to get more into the details on OAuth 2.0 Login or you might be looking for the OAuth 2.0 Authorization Code Grant, if you're simply looking to access the Contacts API (and not login).

@jgrandja jgrandja closed this as completed Jul 2, 2020
@jgrandja jgrandja added the status: invalid An issue that we don't feel is valid label Jul 2, 2020
@rwinch
Copy link
Member

rwinch commented Jul 7, 2020

@jgrandja I wonder if we could improve the error message? Perhaps including the response in the error message and explaining it doesn't confirm to the user info endpoint?

@rwinch rwinch reopened this Jul 7, 2020
@jgrandja jgrandja changed the title Spring Security and Google Contacts API integration throwing exception Improve error message when invalid content-type for UserInfo response Jul 9, 2020
@jgrandja jgrandja added type: enhancement A general enhancement and removed status: invalid An issue that we don't feel is valid labels Jul 9, 2020
@jgrandja jgrandja added this to the 5.4.0-RC1 milestone Jul 9, 2020
@jgrandja
Copy link
Contributor

jgrandja commented Jul 9, 2020

@rwinch Sure, it would be better to improve the error message.

The previous message was:

[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map<java.lang.String, java.lang.Object>] and content type [text/plain]

The updated message is:

[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource from 'https://www.googleapis.com/auth/contacts.readonly?alt=json': response contains invalid content type 'text/plain'. The UserInfo Response should return a JSON object (content type 'application/json') that contains a collection of name and value pairs of the claims about the authenticated End-User. Please ensure the UserInfo Uri in UserInfoEndpoint for Client Registration 'google' conforms to the UserInfo Endpoint, as defined in OpenID Connect 1.0: 'https://openid.net/specs/openid-connect-core-1_0.html#UserInfo'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-RC1
Development

No branches or pull requests
5 participants
@rwinch @sachin21jan @eleftherias @jgrandja @spring-projects-issues