diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java
index 2c793584a9..c14723577b 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java
@@ -18,9 +18,6 @@ package org.springframework.security.oauth2.client.authentication;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AccessToken;
import org.springframework.util.Assert;
-import org.springframework.util.CollectionUtils;
-
-import java.util.Set;
/**
* A representation of an OAuth 2.0 "Authorized Client".
@@ -63,14 +60,4 @@ public class AuthorizedClient {
public AccessToken getAccessToken() {
return this.accessToken;
}
-
- public final Set getAuthorizedScopes() {
- // As per spec, in section 5.1 Successful Access Token Response
- // https://tools.ietf.org/html/rfc6749#section-5.1
- // If AccessToken.scopes is empty, then default to the scopes
- // originally requested by the client in the Authorization Request
- return (CollectionUtils.isEmpty(this.getAccessToken().getScopes()) ?
- this.getClientRegistration().getScopes() :
- this.getAccessToken().getScopes());
- }
}
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
index 480c00424e..8b90d2cc5f 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
@@ -41,7 +41,6 @@ import org.springframework.util.CollectionUtils;
import java.io.IOException;
import java.net.URI;
-import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
@@ -122,10 +121,20 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
accessTokenType = AccessToken.TokenType.BEARER;
}
long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
- Set scopes = Collections.emptySet();
- if (!CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
- scopes = new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
+
+ // As per spec, in section 5.1 Successful Access Token Response
+ // https://tools.ietf.org/html/rfc6749#section-5.1
+ // If AccessTokenResponse.scope is empty, then default to the scope
+ // originally requested by the client in the Authorization Request
+ Set scopes;
+ if (CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
+ scopes = new LinkedHashSet<>(
+ authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest().getScopes());
+ } else {
+ scopes = new LinkedHashSet<>(
+ accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
}
+
Map additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
return TokenResponse.withToken(accessToken)
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
index 1a5a45d278..cf414771fb 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
@@ -110,7 +110,7 @@ public class OidcUserService implements OAuth2UserService {
oidcAuthorizedClient.getClientRegistration().getAuthorizationGrantType())) {
// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
- return oidcAuthorizedClient.getAuthorizedScopes().stream().anyMatch(userInfoScopes::contains);
+ return oidcAuthorizedClient.getAccessToken().getScopes().stream().anyMatch(userInfoScopes::contains);
}
return false;