Support space-delimited oauth2 scope

[jgrandja]

There have been a few reported issues in Spring Security over the last couple of months related to scope being configured using space-delimited instead of comma-delimited.

For example, given this configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: your-app-client-id
            client-secret: your-app-client-secret
            scope: openid, profile, email            

This would result in ClientRegistration.scopes.size() == 3.

However, given this configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: your-app-client-id
            client-secret: your-app-client-secret
            scope: openid profile email            

This would result in ClientRegistration.scopes.size() == 1, where ClientRegistration.scopes.contains("openid profile email") == true.

For this case, oauth2Login() would not trigger the OpenID Connect flow and instead the standard OAuth 2.0 Authorization Code flow, which is the issue and has been reported as such.

Are we able to enhance the reading/parsing of scope to support space-delimited as well?

[wilkinsona]

As noted in table 24.2 in the reference documentation, we support comma-separated strings or, in YAML, a list for configuring a collection property. If we were to also support space-separate strings there would be no way to differentiate between a single string with spaces or multiple strings delimited by the spaces. If we know that the scope will never contain spaces we could apply special rules to that property but it would then no longer be consistent with the requirements for every other collection property. For these reasons I am not in favour of supporting space-delimited values.

Perhaps there's a usability improvement that can be made, either in Boot or in Spring Security, to identify that the scope is likely to be wrong and log a warning or throw an exception? Spring Security would seem to be the most logical place as then everyone would benefit, not just those using Boot.

[jgrandja]

If we were to also support space-separate strings there would be no way to differentiate between a single string with spaces or multiple strings delimited by the spaces

Agreed. This obviously is not an option

If we know that the scope will never contain spaces we could apply special rules

As per spec, Access Token Scope - space is not allowed so we can make this assumption when sanitizing. What I was thinking we can sanitize scope in OAuth2ClientPropertiesRegistrationAdapter

Perhaps there's a usability improvement that can be made, either in Boot or in Spring Security

As you suggested and I agree, it makes the most sense to validate scope in Spring Security. I can easily apply this check in ClientRegistration.Builder.scope(String... scope).

Closing in favour of spring-security#6256