Spring Security Getting 401 Error on /userinfo endpoint call

Summary

I have setup the Spring security authorization server which has a client registered in its registry. I have configured the authorization server with formLogin so that when a user tries to login to client app, it is thrown a login page by auth server. Other side I have client app that uses spring-boot-starter-oauth2-client module to integrate with auth server. My integration is openid based for scopes (openid, email, profile)

Everything is fine when I am accessing a controller endpoint in my client app if the scope is configure only with openid. I know in case of only openid scope the /userinfo endpoint is not called by client on auth server. If I configure multiple scopes like openid, email, profile then the /userinfo endpoint is called but the auth server is returning the 401 error.

I tried to debug the filter chain in auth server side and I found there is no filter to server the /userinfo endpoint. Am I missing something in configuration.

Actual Behavior

Auth server is throwing the 401 error when /userinfo endpoint is called by client app. Here is the code I am using in client app.

@Bean SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated()) .oauth2Login(oauth2Login -> oauth2Login.loginPage("/oauth2/authorization/articles-client-oidc") .userInfoEndpoint() // .userAuthoritiesMapper(this.userAuthoritiesMapper()) .oidcUserService(this.oidcUserService())) .oauth2Client(withDefaults()); return http.build(); }

private OAuth2UserService oidcUserService() { final OidcUserService delegate = new OidcUserService();

return (userRequest) -> {
  String userInfoUri = userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri();

  // Delegate to the default implementation for loading a user
  OidcUser oidcUser = delegate.loadUser(userRequest);

  OAuth2AccessToken accessToken = userRequest.getAccessToken();
  Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

  // 3) Create a copy of oidcUser but use the mappedAuthorities instead
  oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());

  return oidcUser;
};

}

Expected Behavior

Configuration

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authServerSecurityFilterChain(HttpSecurity http) throws Exception {
    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
    return 
        http
        .csrf().disable()
        .cors().disable()
        .formLogin((formLogin) -> 
            formLogin.loginPage(formLoginUrl)
                .loginProcessingUrl(contextPath+"/openid/authenticate")
        )
        .addFilterAfter(legacyTokenCheckFilter(), LogoutFilter.class)
        .build();
}

Version

implementation group: 'org.springframework.security', name: 'spring-security-oauth2-authorization-server', version: '0.3.1'

Sample

Comment From: jgrandja

@mak0128 We'll enhance the samples to show how to configure. Please track spring-authorization-server#847