You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As mentionned in OpenID documentation, Open ID Provider Configuration should only provide application/json.
As a result, ClientRegistrations shouldn't call these endpoints with anything else that application/json in Accept header.
Current Behavior
org.springframework.security.oauth2.client.registration.ClientRegistrations use default RestTemplate.
Default dehaviour is to add any supported media type as a request header... then it adds application/json... as well as application/xml with XML prior to JSON.
It works perfectly with most OpenID implementations and deserializers.
But if OpenID Provider can also answer with XML, deserialization can be tricky, and don't work out of the box.
Context
Talking with a third-party OpenID Provider, which configuration may be wrong on the matter : the .well-known/openid-configuration path can answer in XML as well as JSON, depending on the Accept header.
Deserializing some XML lists is tricky, with different converters implementations.
... converters tends to fail deserializing this list out of the box.
But it should be useless considering specification don't allow XML.
I'm currently using spring-security-oauth2-client version 5.7.5.
Seems to work like a charm adding .accept(MediaType.APPLICATION_JSON) on requests, in org.springframework.security.oauth2.client.registration.ClientRegistrations
The text was updated successfully, but these errors were encountered:
The OIDC specification clearly documents the response as containing Content-Type: application/json. However, I don't see the specification document the Accept header of the request. To clarify, are you suggesting that the use of a Content-Type header in the response implies an Accept header in the request even though it isn't documented? Or are you seeing it documented elsewhere?
Expected Behavior
As mentionned in OpenID documentation, Open ID Provider Configuration should only provide
application/json
.As a result,
ClientRegistrations
shouldn't call these endpoints with anything else thatapplication/json
inAccept
header.Current Behavior
org.springframework.security.oauth2.client.registration.ClientRegistrations
use defaultRestTemplate
.Default dehaviour is to add any supported media type as a request header... then it adds
application/json
... as well asapplication/xml
with XML prior to JSON.It works perfectly with most OpenID implementations and deserializers.
But if OpenID Provider can also answer with XML, deserialization can be tricky, and don't work out of the box.
Context
Talking with a third-party OpenID Provider, which configuration may be wrong on the matter : the
.well-known/openid-configuration
path can answer in XML as well as JSON, depending on theAccept
header.Deserializing some XML lists is tricky, with different converters implementations.
Typical lists are "scopes_supported" :
which result in XML :
... converters tends to fail deserializing this list out of the box.
But it should be useless considering specification don't allow XML.
I'm currently using spring-security-oauth2-client version 5.7.5.
Seems to work like a charm adding
.accept(MediaType.APPLICATION_JSON)
on requests, inorg.springframework.security.oauth2.client.registration.ClientRegistrations
The text was updated successfully, but these errors were encountered: