Allow injecting the principal name into DefaultOAuth2User

- Add username field to DefaultOAuth2User for direct name injection
- Add Builder pattern with DefaultOAuth2User.withUsername(String) static factory method
- Deprecate constructor that uses nameAttributeKey lookup in favor of Builder pattern
- Update Jackson mixins to support username field serialization/deserialization

This change prepares for SpEL support in the next commit.

Signed-off-by: yybmion <[email protected]>

Author: yybmion

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOAuth2UserMixin.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,6 +32,7 @@
  * This mixin class is used to serialize/deserialize {@link DefaultOAuth2User}.
  *
  * @author Joe Grandja
+ * @author YooBin Yoon
  * @since 5.3
  * @see DefaultOAuth2User
  * @see OAuth2ClientJackson2Module
@@ -45,7 +46,7 @@ abstract class DefaultOAuth2UserMixin {
 	@JsonCreator
 	DefaultOAuth2UserMixin(@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
 			@JsonProperty("attributes") Map<String, Object> attributes,
-			@JsonProperty("nameAttributeKey") String nameAttributeKey) {
+			@JsonProperty("nameAttributeKey") String nameAttributeKey, @JsonProperty("username") String username) {
 	}
 
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOidcUserMixin.java

@@ -40,7 +40,7 @@
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
-@JsonIgnoreProperties(value = { "attributes" }, ignoreUnknown = true)
+@JsonIgnoreProperties(value = { "attributes", "username" }, ignoreUnknown = true)
 abstract class DefaultOidcUserMixin {
 
 	@JsonCreator

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixinTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -194,7 +194,8 @@ private static String asJson(DefaultOAuth2User oauth2User) {
 				"      \"@class\": \"java.util.Collections$UnmodifiableMap\",\n" +
 				"      \"username\": \"user\"\n" +
 				"    },\n" +
-				"    \"nameAttributeKey\": \"username\"\n" +
+				"    \"nameAttributeKey\": \"username\",\n" +
+				"    \"username\": \"" + oauth2User.getName() + "\"\n" +
 				"  }";
 		// @formatter:on
 	}

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -45,6 +45,7 @@
  * @author Joe Grandja
  * @author Eddú Meléndez
  * @author Park Hyojong
+ * @author YooBin Yoon
  * @since 5.0
  * @see OAuth2User
  */
@@ -58,13 +59,17 @@ public class DefaultOAuth2User implements OAuth2User, Serializable {
 
 	private final String nameAttributeKey;
 
+	private final String username;
+
 	/**
 	 * Constructs a {@code DefaultOAuth2User} using the provided parameters.
 	 * @param authorities the authorities granted to the user
 	 * @param attributes the attributes about the user
 	 * @param nameAttributeKey the key used to access the user's "name" from
 	 * {@link #getAttributes()}
+	 * @deprecated Use {@link #withUsername(String)} builder pattern instead
 	 */
+	@Deprecated
 	public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes,
 			String nameAttributeKey) {
 		Assert.notEmpty(attributes, "attributes cannot be empty");
@@ -77,11 +82,80 @@ public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map
 				: Collections.unmodifiableSet(new LinkedHashSet<>(AuthorityUtils.NO_AUTHORITIES));
 		this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
 		this.nameAttributeKey = nameAttributeKey;
+		this.username = attributes.get(nameAttributeKey).toString();
+	}
+
+	/**
+	 * Constructs a {@code DefaultOAuth2User} using the provided parameters. This
+	 * constructor is used by Jackson for deserialization.
+	 * @param authorities the authorities granted to the user
+	 * @param attributes the attributes about the user
+	 * @param nameAttributeKey the key used to access the user's &quot;name&quot; from
+	 * {@link #getAttributes()} - preserved for backwards compatibility
+	 * @param username the user's name
+	 */
+	private DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes,
+			String nameAttributeKey, String username) {
+		Assert.notEmpty(attributes, "attributes cannot be empty");
+
+		this.authorities = (authorities != null)
+				? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
+				: Collections.unmodifiableSet(new LinkedHashSet<>(AuthorityUtils.NO_AUTHORITIES));
+		this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
+		this.nameAttributeKey = nameAttributeKey;
+		this.username = (username != null) ? username : attributes.get(nameAttributeKey).toString();
+
+		Assert.hasText(this.username, "username cannot be empty");
+	}
+
+	/**
+	 * Creates a new {@code DefaultOAuth2User} builder with the username.
+	 * @param username the user's name
+	 * @return a new {@code Builder}
+	 * @since 6.5
+	 */
+	public static Builder withUsername(String username) {
+		return new Builder(username);
+	}
+
+	/**
+	 * A builder for {@link DefaultOAuth2User}.
+	 *
+	 * @since 6.5
+	 */
+	public static final class Builder {
+
+		private final String username;
+
+		private Collection<? extends GrantedAuthority> authorities;
+
+		private Map<String, Object> attributes;
+
+		private Builder(String username) {
+			Assert.hasText(username, "username cannot be empty");
+			this.username = username;
+		}
+
+		public Builder authorities(Collection<? extends GrantedAuthority> authorities) {
+			this.authorities = authorities;
+			return this;
+		}
+
+		public Builder attributes(Map<String, Object> attributes) {
+			this.attributes = attributes;
+			return this;
+		}
+
+		public DefaultOAuth2User build() {
+			Assert.notEmpty(this.attributes, "attributes cannot be empty");
+			return new DefaultOAuth2User(this.authorities, this.attributes, null, this.username);
+		}
+
 	}
 
 	@Override
 	public String getName() {
-		return this.getAttribute(this.nameAttributeKey).toString();
+		return this.username;
 	}
 
 	@Override

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 package org.springframework.security.oauth2.core.user;
 
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 
@@ -35,6 +36,7 @@
  * @author Vedran Pavic
  * @author Joe Grandja
  * @author Park Hyojong
+ * @author Yoobin Yoon
  */
 public class DefaultOAuth2UserTests {
 
@@ -109,4 +111,108 @@ public void constructorWhenCreatedThenIsSerializable() {
 		SerializationUtils.serialize(user);
 	}
 
+	@Test
+	public void withUsernameWhenValidParametersThenCreated() {
+		String directUsername = "directUser";
+		DefaultOAuth2User user = DefaultOAuth2User.withUsername(directUsername)
+			.authorities(AUTHORITIES)
+			.attributes(ATTRIBUTES)
+			.build();
+
+		assertThat(user.getName()).isEqualTo(directUsername);
+		assertThat(user.getAuthorities()).hasSize(1);
+		assertThat(user.getAuthorities().iterator().next()).isEqualTo(AUTHORITY);
+		assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
+		assertThat(user.getAttributes().get(ATTRIBUTE_NAME_KEY)).isEqualTo(USERNAME);
+	}
+
+	@Test
+	public void withUsernameWhenUsernameIsEmptyThenThrowIllegalArgumentException() {
+		assertThatIllegalArgumentException().isThrownBy(() -> DefaultOAuth2User.withUsername(""));
+	}
+
+	@Test
+	public void withUsernameWhenAttributesIsNullThenThrowIllegalArgumentException() {
+		assertThatIllegalArgumentException().isThrownBy(
+				() -> DefaultOAuth2User.withUsername("username").authorities(AUTHORITIES).attributes(null).build());
+	}
+
+	@Test
+	public void withUsernameWhenAttributesIsEmptyThenThrowIllegalArgumentException() {
+		assertThatIllegalArgumentException().isThrownBy(() -> DefaultOAuth2User.withUsername("username")
+			.authorities(AUTHORITIES)
+			.attributes(Collections.emptyMap())
+			.build());
+	}
+
+	@Test
+	public void withUsernameWhenCreatedThenIsSerializable() {
+		DefaultOAuth2User user = DefaultOAuth2User.withUsername("directUser")
+			.authorities(AUTHORITIES)
+			.attributes(ATTRIBUTES)
+			.build();
+		SerializationUtils.serialize(user);
+	}
+
+	@Test
+	public void withUsernameWhenUsernameProvidedThenTakesPrecedenceOverAttributes() {
+		Map<String, Object> attributes = new HashMap<>();
+		attributes.put("username", "fromAttributes");
+		attributes.put("id", "123");
+
+		DefaultOAuth2User user = DefaultOAuth2User.withUsername("directUsername")
+			.authorities(AUTHORITIES)
+			.attributes(attributes)
+			.build();
+
+		assertThat(user.getName()).isEqualTo("directUsername");
+		assertThat((String) user.getAttribute("username")).isEqualTo("fromAttributes");
+	}
+
+	@Test
+	public void constructorWhenSimpleAttributeKeyThenWorksAsUsual() {
+		DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
+
+		assertThat(user.getName()).isEqualTo(USERNAME);
+		assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
+	}
+
+	@Test
+	public void withUsernameAndDeprecatedConstructorWhenSameDataThenEqual() {
+		DefaultOAuth2User user1 = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
+		DefaultOAuth2User user2 = DefaultOAuth2User.withUsername(USERNAME)
+			.authorities(AUTHORITIES)
+			.attributes(ATTRIBUTES)
+			.build();
+
+		assertThat(user1.getName()).isEqualTo(user2.getName());
+		assertThat(user1.getAuthorities()).isEqualTo(user2.getAuthorities());
+		assertThat(user1.getAttributes()).isEqualTo(user2.getAttributes());
+		assertThat(user1).isEqualTo(user2);
+	}
+
+	@Test
+	public void withUsernameWhenAuthoritiesIsNullThenCreatedWithEmptyAuthorities() {
+		DefaultOAuth2User user = DefaultOAuth2User.withUsername("testUser")
+			.authorities(null)
+			.attributes(ATTRIBUTES)
+			.build();
+
+		assertThat(user.getName()).isEqualTo("testUser");
+		assertThat(user.getAuthorities()).isEmpty();
+		assertThat(user.getAttributes()).isEqualTo(ATTRIBUTES);
+	}
+
+	@Test
+	public void withUsernameWhenAuthoritiesIsEmptyThenCreated() {
+		DefaultOAuth2User user = DefaultOAuth2User.withUsername("testUser")
+			.authorities(Collections.emptySet())
+			.attributes(ATTRIBUTES)
+			.build();
+
+		assertThat(user.getName()).isEqualTo("testUser");
+		assertThat(user.getAuthorities()).isEmpty();
+		assertThat(user.getAttributes()).isEqualTo(ATTRIBUTES);
+	}
+
 }