Spring Security Remove notEmpty check for authorities in DefaultOAuth2User

Describe the bug Currently, DefaultOAuth2User constructor has a check to make sure that authorities parameter is not empty.

public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes, String nameAttributeKey) {
        Assert.notEmpty(authorities, "authorities cannot be empty");
        Assert.notEmpty(attributes, "attributes cannot be empty");
        Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
        if (!attributes.containsKey(nameAttributeKey)) {
            throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes");
        }
        this.authorities = Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)));
        this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
        this.nameAttributeKey = nameAttributeKey;
    }

This causes a problem when you have a custom authorities extractor and authorities list is empty for particular user.

java.lang.IllegalArgumentException: authorities cannot be empty
    at org.springframework.util.Assert.notEmpty(Assert.java:467)
    at org.springframework.security.oauth2.core.user.DefaultOAuth2User.<init>(DefaultOAuth2User.java:63)
    at org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser.<init>(DefaultOidcUser.java:89)
    at com.xebialabs.platform.sso.oidc.service.XLOidcUserService.loadUser(XLOidcUserService.java:33)
    at com.xebialabs.xlrelease.auth.oidc.service.XlrOidcUserService.loadUser(XlrOidcUserService.java:28)
    at com.xebialabs.xlrelease.auth.oidc.service.XlrOidcUserService.loadUser(XlrOidcUserService.java:16)
    at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:174)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)

Expected behavior The implementation should be more inline with other part of spring-security. For example DefaultOAuth2AuthenticatedPrincipal or AbstractAuthenticationToken which allows to have empty list.

DefaultOAuth2AuthenticatedPrincipal

public DefaultOAuth2AuthenticatedPrincipal(String name, Map<String, Object> attributes,
            Collection<GrantedAuthority> authorities) {

        Assert.notEmpty(attributes, "attributes cannot be empty");
        this.attributes = Collections.unmodifiableMap(attributes);
        this.authorities = authorities == null ?
                NO_AUTHORITIES : Collections.unmodifiableCollection(authorities);
        this.name = name == null ? (String) this.attributes.get("sub") : name;
    }

AbstractAuthenticationToken

public AbstractAuthenticationToken(Collection<? extends GrantedAuthority> authorities) {
        if (authorities == null) {
            this.authorities = AuthorityUtils.NO_AUTHORITIES;
            return;
        }

        for (GrantedAuthority a : authorities) {
            if (a == null) {
                throw new IllegalArgumentException(
                        "Authorities collection cannot contain any null elements");
            }
        }
        ArrayList<GrantedAuthority> temp = new ArrayList<>(
                authorities.size());
        temp.addAll(authorities);
        this.authorities = Collections.unmodifiableList(temp);
    }

Comment From: jgrandja

@mayur9991 Would you be interested in submitting an update for this?

Comment From: mayur9991

@jgrandja Yes, I can do it! I will open a pull request.

Comment From: mayur9991

@jgrandja Pull request is now there for review. Can we also backport this to previous version?