Spring Security OAuth2 access token response parsing fails with nested JSON object with Keycloak 16.1.0

Describe the bug The same as #6463

I have the same issue #6463 in version 5.4.5 and Keycloak 16.1.0:

Caused by: java.lang.RuntimeException: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.parse(ClientRegistrations.java:232)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:157)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:209)
        ... 113 common frames omitted
Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected type of JSON object member with key mtls_endpoint_aliases
        at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:161)
        at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getJSONObject(JSONObjectUtils.java:827)
        at com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata.parse(AuthorizationServerMetadata.java:2042)
        at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:1362)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.parse(ClientRegistrations.java:229)
        ... 115 common frames omitted
Caused by: com.nimbusds.oauth2.sdk.ParseException: Unexpected type: class java.util.LinkedHashMap
        at com.nimbusds.oauth2.sdk.util.JSONUtils.to(JSONUtils.java:100)
        at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:159)
        ... 119 common frames omitted

Comment From: jgrandja

@laurocesar This exception is thrown in the Nimbus class OIDCProviderMetadata. See this comment for further info.

Note, you would get the same error if you used OIDCProviderMetadata.parse() directly.

Please report this issue with Nimbus.

Comment From: dascheib

Hi,

I'm also facing this issue (when Spring Security tries to read the config of a Keycloak of version 17 over the issuer url) and, after the issue was tested here: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/373/exception-thrown-when-calling, tested it myself, manually in a quick local java app.

[...]
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
[...]
CloseableHttpResponse result = httpClient.execute(request);
if (result.getStatusLine().getStatusCode() == 200) {
  try {
    OIDCProviderMetadata metadata = OIDCProviderMetadata.parse(EntityUtils.toString(result.getEntity()));
    log.info(metadata.getEndSessionEndpointURI().toString());
  } catch (ParseException pex) {
    log.error("Parsing OIDC Config failed: " + pex);
  }
}
[...]

The code above works fine. The parsing succeeds. But using Spring Security in the latest version (5.6.2.) still causes the described trouble:

[...]
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
[...]
try {
  ClientRegistration.Builder builder = ClientRegistrations.fromIssuerLocation(SETTINGS_ENDPOINT);
  ClientRegistration clientRegistration = builder.build();
  log.info(clientRegistration.getProviderDetails().getAuthorizationUri());
} catch (Exception ex) {
  [...]
}
[...]

The code above throws an exception. Can you confirm that? Will there be a fix?

Regards, Daniel