Merge branch '5.8.x' into 6.0.x

jzheaux · jzheaux · commit 69b17f3d3f8c · 2023-05-24T15:29:39.000-06:00
Closes gh-13222
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClient.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -80,7 +80,10 @@ public OAuth2AccessTokenResponse getTokenResponse(
 		// If AccessTokenResponse.scope is empty, then we assume all requested scopes were
 		// granted.
 		// However, we use the explicit scopes returned in the response (if any).
-		return response.getBody();
+		OAuth2AccessTokenResponse tokenResponse = response.getBody();
+		Assert.notNull(tokenResponse,
+				"The authorization server responded to this Authorization Code grant request with an empty body; as such, it cannot be materialized into an OAuth2AccessTokenResponse instance. Please check the HTTP response code in your server logs for more details.");
+		return tokenResponse;
 	}
 
 	private ResponseEntity<OAuth2AccessTokenResponse> getResponse(RequestEntity<?> request) {
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClientTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClientTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -235,6 +235,15 @@ public void getTokenResponseWhenAuthenticationPrivateKeyJwtThenFormParametersAre
 		assertThat(formParameters).contains("client_assertion=");
 	}
 
+	// gh-13143
+	@Test
+	public void getTokenResponseWhenTokenEndpointReturnsEmptyBodyThenIllegalArgument() {
+		this.server.enqueue(new MockResponse().setResponseCode(302));
+		ClientRegistration clientRegistration = this.clientRegistration.build();
+		assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(
+				() -> this.tokenResponseClient.getTokenResponse(authorizationCodeGrantRequest(clientRegistration)));
+	}
+
 	private void configureJwtClientAuthenticationConverter(Function<ClientRegistration, JWK> jwkResolver) {
 		NimbusJwtClientAuthenticationParametersConverter<OAuth2AuthorizationCodeGrantRequest> jwtClientAuthenticationConverter = new NimbusJwtClientAuthenticationParametersConverter<>(
 				jwkResolver);
