From ddae9d2c9a7d4dd54d401c25082fe2bd75c8abc0 Mon Sep 17 00:00:00 2001
From: jloisel <loisel.jerome@gmail.com>
Date: Thu, 6 Feb 2025 13:41:43 +0100
Subject: [PATCH] Bug #16340: check username attribute when calling
 user.getName()

---
 .../security/oauth2/core/user/DefaultOAuth2User.java |  6 +++---
 .../oauth2/core/user/DefaultOAuth2UserTests.java     | 12 +++++++-----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java
index 6c80d7b64a2..9277251cd86 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java
@@ -69,8 +69,6 @@ public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map
 			String nameAttributeKey) {
 		Assert.notEmpty(attributes, "attributes cannot be empty");
 		Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
-		Assert.notNull(attributes.get(nameAttributeKey),
-				"Attribute value for '" + nameAttributeKey + "' cannot be null");
 
 		this.authorities = (authorities != null)
 				? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
@@ -81,7 +79,9 @@ public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map
 
 	@Override
 	public String getName() {
-		return this.getAttribute(this.nameAttributeKey).toString();
+		final Object name = attributes.get(nameAttributeKey);
+		Assert.notNull(name, "Attribute value for '" + nameAttributeKey + "' cannot be null");
+		return name.toString();
 	}
 
 	@Override
diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java
index a56c5bcf6a2..46b6b2e7b17 100644
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java
@@ -61,9 +61,10 @@ public void constructorWhenAttributesIsEmptyThenThrowIllegalArgumentException()
 	}
 
 	@Test
-	public void constructorWhenAttributeValueIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES,
-				Collections.singletonMap(ATTRIBUTE_NAME_KEY, null), ATTRIBUTE_NAME_KEY));
+	public void getNameWhenAttributeValueIsNullThenThrowIllegalArgumentException() {
+		final DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES,
+				Collections.singletonMap(ATTRIBUTE_NAME_KEY, null), ATTRIBUTE_NAME_KEY);
+		assertThatIllegalArgumentException().isThrownBy(user::getName);
 	}
 
 	@Test
@@ -72,9 +73,10 @@ public void constructorWhenNameAttributeKeyIsNullThenThrowIllegalArgumentExcepti
 	}
 
 	@Test
-	public void constructorWhenNameAttributeKeyIsInvalidThenThrowIllegalArgumentException() {
+	public void getNameWhenNameAttributeKeyIsInvalidThenThrowIllegalArgumentException() {
+		final DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid");
 		assertThatIllegalArgumentException()
-			.isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid"));
+			.isThrownBy(user::getName);
 	}
 
 	@Test