Describe the bug
I believe that the fix for CVE-2022-31690 has broken OidUserInfo fetching in some cases.
org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService#shouldRetrieveUserInfo uses the scopes in the OAuth2AccessToken fetched by the DefaultAuthorizationCodeTokenResponseClient to determine whether it should fetch user infos or not. With above mentioned change a server that doesn't reply with scopes (and implies all requested scopes are granted) won't have any scopes in the OAuth2AccessToken and will thus no longer fetch any user infos.
To Reproduce
- Do a OIDC login with requested scopes that would trigger fetching of user infos (
profile, email, phone, address) - Have the server reply with an empty set of scopes on successful login.
DefaultOidcUserwon't have anyuserInfoset.
Expected behavior A clear and concise description of what you expected to happen.
OidcUserInfo should be fetched if the triggering scopes have been requested even if not returned by the server.
Comment From: jzheaux
Thanks, for the report, @pgrosslicht. I believe this is a duplicate of https://github.com/spring-projects/spring-security/issues/12144. Have you already tried taking the related upgrade?
Comment From: pgrosslicht
Ah yes, this looks like a duplicate then, my bad. I did try searching but didn't seem to find it. If I understand correctly, the fix is available in 5.8.0? We'll try updating then, thanks!
Comment From: jzheaux
Awesome, please feel free to reach out if the update doesn't solve it.