Describe the bug Normally, when oauth2-login is configured, it is possible to inject @AuthenticationPrincipal and @RegisteredOAuth2AuthorizedClient into controller methods. The former always works, the latter only with Java configuration. With an XML configuration like this:
<sec:http pattern="/my-api/**" use-expressions="true" auto-config="false">
<sec:csrf disabled="true"/>
<sec:intercept-url pattern="/my-api/**" access="authenticated"/>
<sec:oauth2-login access-token-response-client-ref="accessTokenResponseClient"/>
</sec:http>
...
<sec:client-registrations>
<sec:client-registration registration-id="myId" ... />
<sec:provider provider-id="myProvider" .../>
</sec:client-registrations>
And controller code like this:
public Map<String, Object> getStuff(
@AuthenticationPrincipal Principal principal,
@RegisteredOAuth2AuthorizedClient(registrationId = "myId") OAuth2AuthorizedClient client) {
...
}
I am getting the following stacktrace:
| Caused by: java.lang.IllegalStateException: No primary or default constructor found for class org.springframework.security.oauth2.client.OAuth2AuthorizedClient | at org.springframework.web.method.annotation.ModelAttributeMethodProcessor.createAttribute(ModelAttributeMethodProcessor.java:219) | at org.springframework.web.servlet.mvc.method.annotation.ServletModelAttributeMethodProcessor.createAttribute(ServletModelAttributeMethodProcessor.java:85) ... Caused by: java.lang.NoSuchMethodException: org.springframework.security.oauth2.client.OAuth2AuthorizedClient.
() | at java.lang.Class.getConstructor0(Class.java:3082)
With the equivalent configuration in Java it works. There might be a problem with the client registrations being an inner bean and somehow not getting managed properly in the OAuth2AuthorizedClientRepository.
Comment From: jgrandja
Thanks for the report @realulim.
The Java configuration registers OAuth2ClientConfiguration.OAuth2ClientWebMvcSecurityConfiguration and adds OAuth2AuthorizedClientArgumentResolver, which resolves OAuth2AuthorizedClient via @RegisteredOAuth2AuthorizedClient.
The issue is that OAuth2AuthorizedClientArgumentResolver is not automatically registered when using XML config.
I'll add this to our backlog as an enhancement.
Comment From: realulim
Thank you for confirming and taking it on. As a workaround, would it be somehow possible to manually configure the OAuth2AuthorizedClientArgumentResolver?
Comment From: jgrandja
@realulim I just pushed this enhancement to master. Let me know how it goes.
Comment From: realulim
I checked out master and did ./gradlew install and ./gradlew build, but the generated jar in build/libs has no classes. Is there a place where binaries could be downloaded, perhaps a nightly build?
Comment From: jgrandja
@realulim You'll need to test this against the snapshot repository https://repo.spring.io/snapshot. See the reference doc for maven configuration.
Comment From: realulim
I have tried this with the snapshot repo enabled and for the following gradle dependency:
implementation "org.springframework.security:spring-security-oauth2-client:5.4.0.BUILD-SNAPSHOT"
Perhaps this is the wrong version tag, because the behavior is unchanged to what I see with version 5.3.3.RELEASE.
Comment From: jgrandja
@realulim The Spring versioning scheme changed recently - see announcement.
Instead of 5.4.0.BUILD-SNAPSHOT use the new tag 5.4.0-SNAPSHOT.
Here is a working sample (xml-config branch) for your reference.
Comment From: realulim
I am still getting the same exception. My configuration is very similar to the example, only that I am using an external authorisation server and thus need a custom AccessTokenClient. I suppose at this point I need to create a minimal example to reproduce the error.
| Caused by: java.lang.NoSuchMethodException: org.springframework.security.oauth2.client.OAuth2AuthorizedClient.<init>()
| at java.lang.Class.getConstructor0(Class.java:3082)
| at java.lang.Class.getDeclaredConstructor(Class.java:2178)
| at org.springframework.web.method.annotation.ModelAttributeMethodProcessor.createAttribute(ModelAttributeMethodProcessor.java:216)
| ... 149 more
Comment From: jgrandja
Yes, please put together a minimal sample that reproduces the issue.