Add support for nested property names in oauth2.providers.userNameAttribute

[leeavital]

Expected Behavior

I was trying to configure my app to use the pagerduty oauth2 provider, I was using the following configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          pagerduty:
            provider: pagerduty
            clientId: <redacted>
            clientSecret: <redacted>
            authorizationGrantType: authorization_code
            redirectUri: "{baseUrl}/login/oauth2/code/{registrationId}"
            clientAuthenticationMethod: client_secret_post

        provider:
          pagerduty:
            authorizationUri: "https://identity.pagerduty.com/oauth/authorize"
            tokenUri: "https://identity.pagerduty.com/oauth/token"
            userInfoUri: "https://api.pagerduty.com/users/me"
            userNameAttribute:  user.email

The pagerduty /me api returns users with all the interesting properties nested under the user field, like so:

{
  "user": {
    "id": ...,
    "email": "fancy@pants.com",

I tried setting userNameAttribute: user.email expecting the name field to be extracted as the name property on the user object. But I get an error from DefaultOAuth2User: "Missing attribute 'user.email' in attributes.

Current Behavior

Ideally a user would successfully be extracted, and login would be successful.

Context

I wound up exposing a custom OAuth2UserService class, but it's 90% of a copy paste of DefaultOAuth2UserService, and this seems like something that another user info API might reasonably do.

[jzheaux]

Hi, @leeavital, thanks for the suggestion. I think this sounds reasonable.

I believe three steps are needed to make this work.

First, DefaultOAuth2User should have a new constructor and deprecate the existing one. The new one should look like this:

public DefaultOAuth2User(Map<String, Object> attributes, Collection<? extends GrantedAuthority> authorities, String name)

Second, Spring Security should update existing production code (not tests) to use the new constructor.

Third, DefaultOAuth2UserService should change to process the userNameAttribute as a simple SpEL expression like so:

SimpleEvaluationContext context = SimpleEvaluationContext
		.forPropertyAccessors(new MapAccessor())
		.withRootObject(userAttributes).build();
SpelExpressionParser parser = new SpelExpressionParser();
Expression expression = parser.parseExpression(userNameAttributeName);
String name = (String) expression.getValue(context);
return new DefaultOAuth2User(userAttributes, authorities, name);

Would you be interested in submitting a PR to make these changes? If not, I can make the changes instead and invite you to review the PR.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[ahmd-nabil]

@jzheaux I think I can do that. is it ok if I work on it ?

[jzheaux]

Sounds good, @ahmd-nabil