Spring Security [missing_user_info_uri] Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: xxxx

Summary

As part of spring-boot-starter-oauth2-client, came across an error where even openid scope has been specified, application is throwing following error.

[missing_user_info_uri] Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: xxxx

Actual Behavior

Authorization request is failing

Expected Behavior

It should not throw any error

Configuration

I created this programatically. Please check the following sample.

ClientRegistration notWorking = ClientRegistration
                .withRegistrationId("#######")
                .clientId("#########")
                .clientSecret("##############")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .scope(OidcScopes.OPENID)
                .scope("Order")
                .build();

It seems the scope is overriding the first one i.e., openid with Order.

The reason for that thought was following 2 code snippets working fine.

1

ClientRegistration works = ClientRegistration
                .withRegistrationId("#######")
                .clientId("#########")
                .clientSecret("##############")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .scope(OidcScopes.OPENID, "Order")
                .scope("Order")
                .build();

2

ClientRegistration works = ClientRegistration
                .withRegistrationId("#######")
                .clientId("#########")
                .clientSecret("##############")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .scope("Order")
                .scope(OidcScopes.OPENID)
                .build();

Version

• org.springframework.boot:spring-boot:3.1.0
• org.springframework.security:spring-security-core:6.1.0
• org.springframework.security:spring-security-oauth2-client:6.1.0
• org.springframework.security:spring-security-oauth2-core:6.1.0

Comment From: jzheaux

Hi, @kcsurapaneni, thanks for reaching out. The scope method is not additive. Instead it takes a list of scopes. You should do the following instead:

ClientRegistration working = ClientRegistration
                .withRegistrationId("#######")
                .clientId("#########")
                .clientSecret("##############")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .scope(OidcScopes.OPENID, "Order")
                .build();

It appears in your report that you already discovered this yourself, so nice job. The reason the method is designed that way is so that builder values can be overridden.

Comment From: kcsurapaneni

Hi, @jzheaux thanks for clarifying. In that case the snippet(1) scope should be overridden with only Order, but I think it seems that is working in that case.