Summary

Adding scope: https://www.googleapis.com/auth/contacts.readonly to google oauth2 login generating following exception -

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map] and content type [text/plain]

Actual Behavior

I am able to authenticate and authorize user without giving any scope but as soon as I add scope: https://www.googleapis.com/auth/contacts.readonly in application.yml, its throwing Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map] and content type [text/plain] exception.

Expected Behavior

It shouldnt have thrown the exception

Configuration

application.yml oauth2: client: registration: google: client-id: <> client-secret: <> scope: https://www.googleapis.com/auth/contacts.readonly provider: google: user-info-uri: https://www.googleapis.com/auth/contacts.readonly?alt=json

Version

I am using Spring boot 2.3.0.RELEASE and Spring security 5.3.2.RELEASE

Comment From: eleftherias

It looks like you have posted this question on StackOverflow, so let's continue the discussion there. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

Comment From: sachin21jan

@eleftherias I have opened this issue over here because it looks like a potential bug to me as I havent added much of my code. If you run the sample provided https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2login#google-login and add the scope you will get this error. Anything you can do to fix this error or possible workaround will be appreciated because I am kind of blocked on this.

Comment From: eleftherias

@sachin21jan I have reopened this issue and we will take another look at it.

Comment From: jgrandja

@sachin21jan The issue here is a misconfiguration in application.yml.

Given your application.yml the redirect-uri will default to {baseUrl}/{action}/oauth2/code/{registrationId} using CommonOAuth2Provider.GOOGLE. oauth2Login() matches on the path {baseUrl}/{action}/oauth2/code/{registrationId} so this flow is in effect and it will attempt to call the UserInfo Endpoint to obtain claims (attributes) about the currently authenticated user.

However, the user-info-uri is configured with https://www.googleapis.com/auth/contacts.readonly?alt=json, which is the Google Contacts API and does not conform to the UserInfo Endpoint as specified in the spec. The UserInfo Endpoint for Google should be configured with https://www.googleapis.com/oauth2/v3/userinfo.

I would encourage you to go through the reference doc to get more into the details on OAuth 2.0 Login or you might be looking for the OAuth 2.0 Authorization Code Grant, if you're simply looking to access the Contacts API (and not login).

Comment From: rwinch

@jgrandja I wonder if we could improve the error message? Perhaps including the response in the error message and explaining it doesn't confirm to the user info endpoint?

Comment From: jgrandja

@rwinch Sure, it would be better to improve the error message.

The previous message was:

[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: Could not extract response: no suitable HttpMessageConverter found for response type [java.util.Map] and content type [text/plain]

The updated message is:

[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource from 'https://www.googleapis.com/auth/contacts.readonly?alt=json': response contains invalid content type 'text/plain'. The UserInfo Response should return a JSON object (content type 'application/json') that contains a collection of name and value pairs of the claims about the authenticated End-User. Please ensure the UserInfo Uri in UserInfoEndpoint for Client Registration 'google' conforms to the UserInfo Endpoint, as defined in OpenID Connect 1.0: 'https://openid.net/specs/openid-connect-core-1_0.html#UserInfo'