Description
Describe the bug
StdConverters do not support all available OAuth2 ClientAuthenticationMethods
https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java#L48-L65
For example ClientAuthenticationMethod.PRIVATE_KEY_JWT authentication method is missing from mapping.
In case private_key_jwt is used for client authentication and authorized clients are stored in Redis then when loading and deserializing ClientRegistration from json the clientAuthenticationMethod is not correctly converted and then later defaulted to incorrect value.
Precondition
- Project using Spring Security configured to store session data to Redis
- Use
org.springframework.session:spring-session-data-redislibrary to achieve this
- Use
- Store OAuth2 authorised clients to Http Session instead of InMemory
- Configure OAuth2AuthorizedClientRepository to HttpSessionOAuth2AuthorizedClientRepository
To Reproduce
- Authenticate with a user
- The authorized client is stored to Redis with client registration details
- When access token expires and OAuth2AuthorizedManager tries to refresh token then incorrect authentication method is used
Expected behavior
In token refresh, correct authentication method is used.
Sample
I decided to not include a sample this time because it would require setting up redis, e.g. in docker compose, but also authorization server for OAuth2 login.
The bug is quite obvious for me because there's missing ClientAuthenticationMethods missing from converter.
I can create a sample if you deem it's needed.