Skip to content

After successfully exchanging the token using token exchange, calling the userinfo endpoint reports invalid_token #1866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chenzhenjia opened this issue Dec 20, 2024 · 6 comments
Closed

After successfully exchanging the token using token exchange, calling the userinfo endpoint reports invalid_token #1866

chenzhenjia opened this issue Dec 20, 2024 · 6 comments
Assignees
@jgrandja
Labels
status: invalid An issue that we don't feel is valid

Comments

@chenzhenjia
Copy link

Expected Behavior
The userinfo endpoint should return user information successfully after a token exchange, using the valid access token.

Current Behavior
When calling the userinfo endpoint after a successful token exchange, an invalid_token error is returned.

Context
This issue affects the ability to retrieve user information after a token exchange.

OAuth2Authorization.Token<OidcIdToken> idToken = authorization.getToken(OidcIdToken.class);
if (idToken == null) {
    throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
}
@chenzhenjia chenzhenjia added the type: enhancement A general enhancement label Dec 20, 2024
@malvinpatrick
Copy link

What is token type you are using ? Is it REFERENCE token or SELF_CONTAINED token ? Because I have an issue with REFERENCE token when I need to call /userinfo. AuthenticationProvider always use JWTAuthenticationProvider to validate my access token, as #1865 mentioned.

@chenzhenjia
Copy link
Author

What is token type you are using ? Is it REFERENCE token or SELF_CONTAINED token ? Because I have an issue with REFERENCE token when I need to call /userinfo. AuthenticationProvider always use JWTAuthenticationProvider to validate my access token, as #1865 mentioned.

It has nothing to do with the REFERENCE token or the SELF_CONTAINED token. The token exchange does not save the idToken, which causes the userinfo to be unable to obtain the idToken and report an error.

@malvinpatrick
Copy link

I think you have missed configuration. Or you mis about user logged in or client doesn’t have ‘openid’ scope. Because IDToken only generate when user and client have openid scope.

@jgrandja
Copy link
Collaborator

jgrandja commented Jan 6, 2025

@chenzhenjia Can you please provide more details on your use case. Why are you performing a token exchange using the access token provided by the OpenID authentication flow? Why can't you use the original access token to call /userinfo endpoint?

@jgrandja jgrandja self-assigned this Jan 6, 2025
@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed type: enhancement A general enhancement labels Jan 6, 2025
@chenzhenjia
Copy link
Author

@jgrandja Because the scope is inconsistent, token exchange is required, but userinfo still needs to be called after exchanging the token

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 7, 2025
@jgrandja
Copy link
Collaborator

jgrandja commented Jan 7, 2025

@chenzhenjia

Because the scope is inconsistent, token exchange is required, but userinfo still needs to be called after exchanging the token

I don't quite understand your reason why you need to call the /userinfo endpoint with the new "exchanged" access token.

Either way, the original access token MUST be used when calling the /userinfo endpoint since it's associated with the OAuth2Authorization that contains the OidcIdToken and it's used when determining which claims to return in the UserInfo response

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProvider.java

Line 193 in b76300b

OidcIdToken idToken = authorization.getToken(OidcIdToken.class).getToken();

The OAuth2Authorization associated with the new "exchanged" access token should not be used to call the /userinfo endpoint since it's not the original access token granted in the OIDC Authentication flow and therefore it will not contain the OidcIdToken.

@jgrandja jgrandja closed this as completed Jan 7, 2025
@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed status: feedback-provided Feedback has been provided labels Jan 7, 2025
@chenzhenjia chenzhenjia mentioned this issue Feb 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jgrandja @chenzhenjia @spring-projects-issues @malvinpatrick