Spring Security OidcIdToken cannot be serialized to JSON if token contains claim of type JSONObject

Describe the bug If an IdP sends an ID token with claim may_act, the Jackson ObjectMapper with SecurityJackson2Modules cannot serialize the ID token to JSON (related: https://github.com/spring-projects/spring-security/issues/9210). The may_act claim in the ID token has the type com.nimbusds.jose.shaded.json.JSONObject for which there is no default mixin.

Tested with Spring-Security 5.7.5 . To Reproduce These steps resemble a normal oauth2Login configuration where additionally the ID token is serialized to JSON.

Include a may_act claim in the ID token Decode the string token value using an JwtDecoder created by OidcIdTokenDecoderFactory to a Jwt. Create anOidcIdToken from the Jwt. Serialize the OidcIdToken to a JSON string using an ObjectMapper with the SecurityJackson2Modules.

Expected behavior It is unclear what the expected behavior should be. I'm not sure what effect, if any the may_act claim should have in spring. However, the current behavior is to silently fail with a 500 Internal Server Error.

Note

This issue is very close to being identical to #9210, however, unlike the claims mentioned in that issue, there is no handling for the may_act claim in the OidcIdTokenDecoderFactory

Comment From: fstorz

hi @habelson,

maybe the solution for you might be to switch to spring-security 5.8 or higher. A dependent library (com.nimbusds:nimbus-jose-jwt) which is responsible for parsing the token content was updated. Internally they updated the json parser which might lead to changed results.

Comment From: jgrandja

@habelson Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

The may_act claim in the ID token has the type com.nimbusds.jose.shaded.json.JSONObject for which there is no default mixin.

The may_act claim is a custom claim so you will need to provide a custom Converter. You can supply the OidcIdTokenDecoderFactory.setClaimTypeConverterFactory() with a custom factory that includes the custom Converter for may_act claim in addition to the default Converter's via OidcIdTokenDecoderFactory.createDefaultClaimTypeConverters().