hi, I have the similar issue as https://github.com/spring-projects/spring-security/issues/5983#issuecomment-430620308.

I am following https://github.com/jgrandja/spring-security-oauth-5-2-migrate/blob/master/client-app/src/main/java/org/springframework/security/oauth/samples/config/WebClientConfig.java to create a webclient with oauth2 config, and use this webclient to request an resource(client_credentials). and return below message:

[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [class org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json]; nested exception is org.springframework.http.converter.HttpMessageNotReadableException: An error occurred reading the OAuth 2.0 Access Token Response: tokenType cannot be null; nested exception is java.lang.IllegalArgumentException: tokenType cannot be null

I have try the code in https://github.com/jgrandja/oauth2login-demo/tree/linkedin to config the OAuth2AccessTokenResponse, but not work for me.

I checked the resource's token API return as: { "token_type": "BearerToken", "issued_at": "1590548387462", "client_id": "DxxfvXDoCW72O2gWBIalGeHPY1234", "access_token": "qHiWVPxAtGNTTumL2zW4Kix1234", }

the token type return is "BearerToken" but not "Bearer", is this the root cause? how should I resolve it?

Thank you for advance.

Comment From: yugiking

Checked the code it should be the reason, it require the response token_type must be "Bearer", or else it will return a null token type. why it so strict here? any way I can bypass this? just try the https://github.com/jgrandja/oauth2login-demo/tree/linkedin but now work for me.

Comment From: jgrandja

@yugiking

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

it require the response token_type must be "Bearer", or else it will return a null token type. why it so strict here?

FYI, the token_type is required as per spec

For non-compliant providers, you can customize the processing of the response (similar to the linked in sample), by adding an ExchangeFilterFunction to the WebClient and setting via WebClientReactiveClientCredentialsTokenResponseClient.setWebClient(). You will want to look at ExchangeFilterFunction.ofResponseProcessor() for post processing the ClientResponse.

I'm going to close this issue as the solution provided is the approach to take.

Comment From: yugiking

Thanks @jgrandja for your answer. But I don't have the idea how I can write the code, the sample link define a OAuth2AccessTokenResponseClient, but how should I add it to the webclient by WebClientReactiveClientCredentialsTokenResponseClient.setWebClient()? It would be much helpful if you could show me some more detail code.

I also post a question on stackoverflow: https://stackoverflow.com/questions/62135200/how-to-customize-the-accesstoken-response-when-using-spring-security-webclient

could you kindly help to check? thanks you.

Comment From: yugiking

@jgrandja I just resolve it following: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2Client-client-creds-grant This I can custom my token response by : OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder() .clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient)) .build();

But not the way you mention of "WebClientReactiveClientCredentialsTokenResponseClient.setWebClient"

Comment From: jgrandja

@yugiking See ReactiveOAuth2AuthorizedClientProviderBuilder for configuring the reactive components.

Comment From: vvondra

@jgrandja it would be great if the ReactiveOAuth2AccessTokenResponseClient would have the same option to modify the response before the token gets parsed out to make it easier to implement the workaround for non spec compliant Oauth2 servers not sending the token_type attribute

as seen here: https://github.com/spring-projects/spring-security/issues/5983#issuecomment-430620308 https://docs.spring.io/spring-security/site/docs/5.1.1.RELEASE/reference/htmlsingle/#oauth2Client-access-token-client

Currently the workaround requires to re-implement large parts of the OAuth2AccessTokenResponseBodyExtractor to be more tolerant