Auth fail with external userInfos returned as JWT type

[Gaetanbrl]

According to #160,

I try to understand and adapt the gateway to work fine with ProConnect users.

However, I get errors when gateway tries to read the user information provided by ProConnect.

Here some explicit logs :

2025-01-16 11:08:45.688 DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.a.AuthenticationWebFilter      : Authentication failed: [invalid_user_info_response] An error occurred reading the UserInfo response: [invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource from 'https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo': response contains invalid content type 'application/jwt;charset=utf-8'. The UserInfo Response should return a JSON object (content type 'application/json') that contains a collection of name and value pairs of the claims about the authenticated End-User. Please ensure the UserInfo Uri in UserInfoEndpoint for Client Registration 'proconnect' conforms to the UserInfo Endpoint, as defined in OpenID Connect 1.0: 'https://openid.net/specs/openid-connect-core-1_0.html#UserInfo'
2025-01-16 11:08:45.688 DEBUG 1 --- [or-http-epoll-3] o.s.s.w.s.DefaultServerRedirectStrategy  : Redirecting to '/login?error'
2025-01-16 11:08:45.688 DEBUG 1 --- [or-http-epoll-3] o.s.w.s.adapter.HttpWebHandlerAdapter    : [8fc3052f-46] Completed 302 FOUND

Also, we can understand that :

• ProConnect V2 returns userInfos response with application/jwt type
• OpenID specs accept application/jwt response type (see specs)
• gateway expects application/json
• gateway seems not compliant with application/jwt type
• gateway just redirect to /login?error without any ERROR logs or explicit informations with INFO debug level

I'm not sure if this issue is about a potential transition from FranceConnect V1 to V2 (@fvanderbiest @f-necas).

Here a spring issue about :

• OAuth2UserService supports signed and/or encrypted UserInfo Response spring-projects/spring-security#9583
• Improve customization of DefaultOAuth2UserService to handle other content types spring-projects/spring-security#9629 (comment)

Here's a potential solution :

• https://stackoverflow.com/questions/59876435/spring-fails-for-userinfo-endpoint-returning-signed-jwt

• https://docs.spring.io/spring-authorization-server/reference/guides/how-to-userinfo.html#:~:text=The%20OpenID%20Connect%201.0%20UserInfo%20endpoint%20is%20an%20OAuth2%20protected,Bearer%20Token%20Usage%20%5BRFC6750%5D.

• https://docs.spring.io/spring-authorization-server/reference/protocol-endpoints.html#oidc-user-info-endpoint

[fvanderbiest]

We'll have a look with @f-necas when he comes back.
In the mean time, we welcome PRs :-)

[Gaetanbrl]

In the mean time, we welcome PRs :-)

That's the point. I need to understand the gateway before... not really easy :)

[Gaetanbrl]

In addition,

• AuthenticationWebFilter error is define in spring-security :

https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DefaultReactiveOAuth2UserService.java#L68

• Associate documentation :

https://docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html#oauth2login-advanced-oidc-user-service

[Gaetanbrl]

About my last comment,

I've found the error in the spring code.

• gateway code

georchestra-gateway/gateway/src/main/java/org/georchestra/gateway/security/oauth2/OAuth2Configuration.java

Lines 190 to 197 in 066ccef

	@Bean
	public DefaultReactiveOAuth2UserService reactiveOAuth2UserService(
	@Qualifier("oauth2WebClient") WebClient oauth2WebClient) {
	DefaultReactiveOAuth2UserService service = new DefaultReactiveOAuth2UserService();
	service.setWebClient(oauth2WebClient);
	return service;
	};

• spring-security code :

https://github.com/spring-projects/spring-security/blob/3edb01c6dff16b2d3e03434976b0b0fa3baf4d86/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DefaultReactiveOAuth2UserService.java#L151-L154