Merge pull request #13865 from mhyeon-lee

* gh-13865:
  Add user-info-authentication-method

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientProperties.java

@@ -31,6 +31,7 @@ import org.springframework.util.StringUtils;
  * @author Madhura Bhave
  * @author Phillip Webb
  * @author Artsiom Yudovin
+ * @author MyeongHyeon Lee
  */
 @ConfigurationProperties(prefix = "spring.security.oauth2.client")
 public class OAuth2ClientProperties {
@@ -195,6 +196,11 @@ public class OAuth2ClientProperties {
 		 */
 		private String userInfoUri;
 
+		/**
+		 * User info authentication method for the provider.
+		 */
+		private String userInfoAuthenticationMethod;
+
 		/**
 		 * Name of the attribute that will be used to extract the username from the call
 		 * to 'userInfoUri'.
@@ -235,6 +241,14 @@ public class OAuth2ClientProperties {
 			this.userInfoUri = userInfoUri;
 		}
 
+		public String getUserInfoAuthenticationMethod() {
+			return this.userInfoAuthenticationMethod;
+		}
+
+		public void setUserInfoAuthenticationMethod(String userInfoAuthenticationMethod) {
+			this.userInfoAuthenticationMethod = userInfoAuthenticationMethod;
+		}
+
 		public String getUserNameAttribute() {
 			return this.userNameAttribute;
 		}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapter.java

@@ -28,6 +28,7 @@ import org.springframework.security.config.oauth2.client.CommonOAuth2Provider;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistration.Builder;
 import org.springframework.security.oauth2.client.registration.ClientRegistrations;
+import org.springframework.security.oauth2.core.AuthenticationMethod;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.util.StringUtils;
@@ -39,6 +40,7 @@ import org.springframework.util.StringUtils;
  * @author Phillip Webb
  * @author Thiago Hirata
  * @author Madhura Bhave
+ * @author MyeongHyeon Lee
  * @since 2.1.0
  */
 public final class OAuth2ClientPropertiesRegistrationAdapter {
@@ -131,6 +133,8 @@ public final class OAuth2ClientPropertiesRegistrationAdapter {
 		map.from(provider::getAuthorizationUri).to(builder::authorizationUri);
 		map.from(provider::getTokenUri).to(builder::tokenUri);
 		map.from(provider::getUserInfoUri).to(builder::userInfoUri);
+		map.from(provider::getUserInfoAuthenticationMethod).as(AuthenticationMethod::new)
+				.to(builder::userInfoAuthenticationMethod);
 		map.from(provider::getJwkSetUri).to(builder::jwkSetUri);
 		map.from(provider::getUserNameAttribute).to(builder::userNameAttributeName);
 		return builder;

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapterTests.java

@@ -69,6 +69,7 @@ public class OAuth2ClientPropertiesRegistrationAdapterTests {
 		provider.setAuthorizationUri("http://example.com/auth");
 		provider.setTokenUri("http://example.com/token");
 		provider.setUserInfoUri("http://example.com/info");
+		provider.setUserInfoAuthenticationMethod("form");
 		provider.setUserNameAttribute("sub");
 		provider.setJwkSetUri("http://example.com/jwk");
 		Registration registration = new Registration();
@@ -91,6 +92,9 @@ public class OAuth2ClientPropertiesRegistrationAdapterTests {
 		assertThat(adaptedProvider.getTokenUri()).isEqualTo("http://example.com/token");
 		assertThat(adaptedProvider.getUserInfoEndpoint().getUri())
 				.isEqualTo("http://example.com/info");
+		assertThat(adaptedProvider.getUserInfoEndpoint().getAuthenticationMethod())
+				.isEqualTo(
+						org.springframework.security.oauth2.core.AuthenticationMethod.FORM);
 		assertThat(adaptedProvider.getUserInfoEndpoint().getUserNameAttributeName())
 				.isEqualTo("sub");
 		assertThat(adaptedProvider.getJwkSetUri()).isEqualTo("http://example.com/jwk");
@@ -167,6 +171,9 @@ public class OAuth2ClientPropertiesRegistrationAdapterTests {
 				.isEqualTo("https://www.googleapis.com/oauth2/v3/userinfo");
 		assertThat(adaptedProvider.getUserInfoEndpoint().getUserNameAttributeName())
 				.isEqualTo(IdTokenClaimNames.SUB);
+		assertThat(adaptedProvider.getUserInfoEndpoint().getAuthenticationMethod())
+				.isEqualTo(
+						org.springframework.security.oauth2.core.AuthenticationMethod.HEADER);
 		assertThat(adaptedProvider.getJwkSetUri())
 				.isEqualTo("https://www.googleapis.com/oauth2/v3/certs");
 		assertThat(adapted.getRegistrationId()).isEqualTo("registration");
@@ -210,6 +217,9 @@ public class OAuth2ClientPropertiesRegistrationAdapterTests {
 				.isEqualTo("https://www.googleapis.com/oauth2/v4/token");
 		assertThat(adaptedProvider.getUserInfoEndpoint().getUri())
 				.isEqualTo("https://www.googleapis.com/oauth2/v3/userinfo");
+		assertThat(adaptedProvider.getUserInfoEndpoint().getAuthenticationMethod())
+				.isEqualTo(
+						org.springframework.security.oauth2.core.AuthenticationMethod.HEADER);
 		assertThat(adaptedProvider.getJwkSetUri())
 				.isEqualTo("https://www.googleapis.com/oauth2/v3/certs");
 		assertThat(adapted.getRegistrationId()).isEqualTo("google");
@@ -334,6 +344,9 @@ public class OAuth2ClientPropertiesRegistrationAdapterTests {
 				.isEqualTo("https://example.com/oauth2/v3/certs");
 		assertThat(providerDetails.getUserInfoEndpoint().getUri())
 				.isEqualTo("https://example.com/oauth2/v3/userinfo");
+		assertThat(providerDetails.getUserInfoEndpoint().getAuthenticationMethod())
+				.isEqualTo(
+						org.springframework.security.oauth2.core.AuthenticationMethod.HEADER);
 	}
 
 	private String cleanIssuerPath(String issuer) {

spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -3252,6 +3252,7 @@ You can register multiple OAuth2 clients and providers under the
 	spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=http://my-auth-server/oauth/authorize
 	spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://my-auth-server/oauth/token
 	spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=http://my-auth-server/userinfo
+	spring.security.oauth2.client.provider.my-oauth-provider.user-info-authentication-method=header
 	spring.security.oauth2.client.provider.my-oauth-provider.jwk-set-uri=http://my-auth-server/token_keys
 	spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
 ----