Remove deprecated constructor/method usage in OAuth2 user services

Replace deprecated constructor and method calls with new builder pattern
and updated APIs to eliminate deprecated code usage

- Update OidcUserRequestUtils to use non-deprecated APIs
- Extract OAuth2UsernameExpressionUtils for SpEL evaluation logic
- minor fixes for clarity

closes gh-16390

Signed-off-by: yybmion <[email protected]>

Author: yybmion

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcReactiveOAuth2UserService.java

@@ -191,23 +191,22 @@ public final void setRetrieveUserInfo(Predicate<OidcUserRequest> retrieveUserInf
 	 * 			var accessToken = userRequest.getAccessToken();
 	 * 			var grantedAuthorities = new HashSet&lt;GrantedAuthority&gt;();
 	 * 			// TODO: Map authorities from the access token
-	 * 			var userNameAttributeName = "preferred_username";
-	 * 			return Mono.just(new DefaultOidcUser(
-	 * 				grantedAuthorities,
-	 * 				userRequest.getIdToken(),
-	 * 				userInfo,
-	 * 				userNameAttributeName
-	 * 			));
+	 * 			var username = "preferred_username";
+	 *     		return Mono.just(DefaultOidcUser.withUsername(username)
+	 *         		.authorities(grantedAuthorities)
+	 *         		.idToken(userRequest.getIdToken())
+	 *         		.userInfo(userInfo)
+	 *         		.build());
 	 * 		};
 	 * 	}
 	 * </pre>
 	 * <p>
-	 * Note that you can access the {@code userNameAttributeName} via the
-	 * {@link ClientRegistration} as follows: <pre>
-	 * 	var userNameAttributeName = userRequest.getClientRegistration()
-	 * 		.getProviderDetails()
-	 * 		.getUserInfoEndpoint()
-	 * 		.getUserNameAttributeName();
+	 * Note that you can access the username expression via the {@link ClientRegistration}
+	 * as follows: <pre>
+	 *  var usernameExpression = userRequest.getClientRegistration()
+	 *  	.getProviderDetails()
+	 *   	.getUserInfoEndpoint()
+	 *   	.getUsernameExpression();
 	 * </pre>
 	 * <p>
 	 * By default, a {@link DefaultOidcUser} is created with authorities mapped as

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtils.java

@@ -16,25 +16,31 @@
 
 package org.springframework.security.oauth2.client.oidc.userinfo;
 
+import java.util.HashMap;
 import java.util.LinkedHashSet;
+import java.util.Map;
 import java.util.Set;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UsernameExpressionUtils;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
+import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 
 /**
  * Utilities for working with the {@link OidcUserRequest}
  *
  * @author Rob Winch
+ * @author Yoobin Yoon
  * @since 5.1
  */
 final class OidcUserRequestUtils {
@@ -81,21 +87,40 @@ static OidcUser getUser(OidcUserSource userMetadata) {
 		OidcUserInfo userInfo = userMetadata.getUserInfo();
 		Set<GrantedAuthority> authorities = new LinkedHashSet<>();
 		ClientRegistration.ProviderDetails providerDetails = userRequest.getClientRegistration().getProviderDetails();
-		String userNameAttributeName = providerDetails.getUserInfoEndpoint().getUserNameAttributeName();
-		if (StringUtils.hasText(userNameAttributeName)) {
-			authorities.add(new OidcUserAuthority(userRequest.getIdToken(), userInfo, userNameAttributeName));
+		String usernameExpression = providerDetails.getUserInfoEndpoint().getUsernameExpression();
+
+		String username;
+		if (StringUtils.hasText(usernameExpression)) {
+			Map<String, Object> claims = collectClaims(userRequest.getIdToken(), userInfo);
+			username = OAuth2UsernameExpressionUtils.evaluateUsername(claims, usernameExpression);
 		}
 		else {
-			authorities.add(new OidcUserAuthority(userRequest.getIdToken(), userInfo));
+			username = userRequest.getIdToken().getSubject();
 		}
+
+		authorities
+			.add(OidcUserAuthority.withUsername(username).idToken(userRequest.getIdToken()).userInfo(userInfo).build());
+
 		OAuth2AccessToken token = userRequest.getAccessToken();
 		for (String scope : token.getScopes()) {
 			authorities.add(new SimpleGrantedAuthority("SCOPE_" + scope));
 		}
-		if (StringUtils.hasText(userNameAttributeName)) {
-			return new DefaultOidcUser(authorities, userRequest.getIdToken(), userInfo, userNameAttributeName);
+
+		return DefaultOidcUser.withUsername(username)
+			.authorities(authorities)
+			.idToken(userRequest.getIdToken())
+			.userInfo(userInfo)
+			.build();
+	}
+
+	private static Map<String, Object> collectClaims(OidcIdToken idToken, OidcUserInfo userInfo) {
+		Assert.notNull(idToken, "idToken cannot be null");
+		Map<String, Object> claims = new HashMap<>();
+		if (userInfo != null) {
+			claims.putAll(userInfo.getClaims());
 		}
-		return new DefaultOidcUser(authorities, userRequest.getIdToken(), userInfo);
+		claims.putAll(idToken.getClaims());
+		return claims;
 	}
 
 	private OidcUserRequestUtils() {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.java

@@ -264,23 +264,22 @@ public final void setRetrieveUserInfo(Predicate<OidcUserRequest> retrieveUserInf
 	 * 			var accessToken = userRequest.getAccessToken();
 	 * 			var grantedAuthorities = new HashSet&lt;GrantedAuthority&gt;();
 	 * 			// TODO: Map authorities from the access token
-	 * 			var userNameAttributeName = "preferred_username";
-	 * 			return new DefaultOidcUser(
-	 * 				grantedAuthorities,
-	 * 				userRequest.getIdToken(),
-	 * 				userInfo,
-	 * 				userNameAttributeName
-	 * 			);
+	 * 			var username = "preferred_username";
+	 * 			return DefaultOidcUser.withUsername(username)
+	 *             .authorities(grantedAuthorities)
+	 *             .idToken(userRequest.getIdToken())
+	 *             .userInfo(userInfo)
+	 *             .build();
 	 * 		};
 	 * 	}
 	 * </pre>
 	 * <p>
-	 * Note that you can access the {@code userNameAttributeName} via the
-	 * {@link ClientRegistration} as follows: <pre>
-	 * 	var userNameAttributeName = userRequest.getClientRegistration()
-	 * 		.getProviderDetails()
-	 * 		.getUserInfoEndpoint()
-	 * 		.getUserNameAttributeName();
+	 * Note that you can access the username expression via the {@link ClientRegistration}
+	 * as follows: <pre>
+	 *  var usernameExpression = userRequest.getClientRegistration()
+	 *  	.getProviderDetails()
+	 *   	.getUserInfoEndpoint()
+	 *   	.getUsernameExpression();
 	 * </pre>
 	 * <p>
 	 * By default, a {@link DefaultOidcUser} is created with authorities mapped as

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DefaultOAuth2UserService.java

@@ -20,12 +20,8 @@
 import java.util.LinkedHashSet;
 import java.util.Map;
 
-import org.springframework.context.expression.MapAccessor;
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.expression.ExpressionParser;
-import org.springframework.expression.spel.standard.SpelExpressionParser;
-import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.GrantedAuthority;
@@ -76,10 +72,6 @@ public class DefaultOAuth2UserService implements OAuth2UserService<OAuth2UserReq
 
 	private static final String INVALID_USER_INFO_RESPONSE_ERROR_CODE = "invalid_user_info_response";
 
-	private static final String INVALID_USERNAME_EXPRESSION_ERROR_CODE = "invalid_username_expression";
-
-	private static final ExpressionParser expressionParser = new SpelExpressionParser();
-
 	private static final ParameterizedTypeReference<Map<String, Object>> PARAMETERIZED_RESPONSE_TYPE = new ParameterizedTypeReference<>() {
 	};
 
@@ -104,15 +96,9 @@ public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2Authentic
 		ResponseEntity<Map<String, Object>> response = getResponse(userRequest, request);
 		OAuth2AccessToken token = userRequest.getAccessToken();
 		Map<String, Object> attributes = this.attributesConverter.convert(userRequest).convert(response.getBody());
-
-		String evaluatedUsername = evaluateUsername(attributes, usernameExpression);
-
-		Collection<GrantedAuthority> authorities = getAuthorities(token, attributes, evaluatedUsername);
-
-		return DefaultOAuth2User.withUsername(evaluatedUsername)
-			.authorities(authorities)
-			.attributes(attributes)
-			.build();
+		String username = OAuth2UsernameExpressionUtils.evaluateUsername(attributes, usernameExpression);
+		Collection<GrantedAuthority> authorities = getAuthorities(token, attributes, username);
+		return DefaultOAuth2User.withUsername(username).authorities(authorities).attributes(attributes).build();
 	}
 
 	private String getUsernameExpression(OAuth2UserRequest userRequest) {
@@ -138,30 +124,6 @@ private String getUsernameExpression(OAuth2UserRequest userRequest) {
 		return usernameExpression;
 	}
 
-	private String evaluateUsername(Map<String, Object> attributes, String usernameExpression) {
-		Object value = null;
-
-		try {
-			SimpleEvaluationContext context = SimpleEvaluationContext.forPropertyAccessors(new MapAccessor())
-				.withRootObject(attributes)
-				.build();
-			value = expressionParser.parseExpression(usernameExpression).getValue(context);
-		}
-		catch (Exception ex) {
-			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USERNAME_EXPRESSION_ERROR_CODE,
-					"Invalid username expression or SPEL expression: " + usernameExpression, null);
-			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
-		}
-
-		if (value == null) {
-			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
-					"An error occurred while attempting to retrieve the UserInfo Resource: username cannot be null",
-					null);
-			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
-		}
-		return value.toString();
-	}
-
 	/**
 	 * Use this strategy to adapt user attributes into a format understood by Spring
 	 * Security; by default, the original attributes are preserved.

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/DefaultReactiveOAuth2UserService.java

@@ -130,13 +130,15 @@ public Mono<OAuth2User> loadUser(OAuth2UserRequest userRequest) throws OAuth2Aut
 					.bodyToMono(DefaultReactiveOAuth2UserService.STRING_OBJECT_MAP)
 					.mapNotNull((attributes) -> this.attributesConverter.convert(userRequest).convert(attributes));
 			return userAttributes.map((attrs) -> {
-				GrantedAuthority authority = new OAuth2UserAuthority(attrs, userNameAttributeName);
-				Set<GrantedAuthority> authorities = new HashSet<>();
-				authorities.add(authority);
-				OAuth2AccessToken token = userRequest.getAccessToken();
-				for (String scope : token.getScopes()) {
-					authorities.add(new SimpleGrantedAuthority("SCOPE_" + scope));
-				}
+					String username = OAuth2UsernameExpressionUtils.evaluateUsername(attrs, usernameExpression);
+					Set<GrantedAuthority> authorities = new HashSet<>();
+					authorities.add(OAuth2UserAuthority.withUsername(username)
+						.attributes(attrs)
+						.build());
+					OAuth2AccessToken token = userRequest.getAccessToken();
+					for (String scope : token.getScopes()) {
+						authorities.add(new SimpleGrantedAuthority("SCOPE_" + scope));
+					}
 
 				return new DefaultOAuth2User(authorities, attrs, userNameAttributeName);
 			})
@@ -168,6 +170,21 @@ public Mono<OAuth2User> loadUser(OAuth2UserRequest userRequest) throws OAuth2Aut
 		// @formatter:on
 	}
 
+	private String getUsernameExpression(OAuth2UserRequest userRequest) {
+		String usernameExpression = userRequest.getClientRegistration()
+			.getProviderDetails()
+			.getUserInfoEndpoint()
+			.getUsernameExpression();
+		if (!StringUtils.hasText(usernameExpression)) {
+			OAuth2Error oauth2Error = new OAuth2Error(MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE,
+					"Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: "
+							+ userRequest.getClientRegistration().getRegistrationId(),
+					null);
+			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
+		}
+		return usernameExpression;
+	}
+
 	private WebClient.RequestHeadersSpec<?> getRequestHeaderSpec(OAuth2UserRequest userRequest, String userInfoUri,
 			AuthenticationMethod authenticationMethod) {
 		if (AuthenticationMethod.FORM.equals(authenticationMethod)) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/userinfo/OAuth2UsernameExpressionUtils.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.userinfo;
+
+import java.util.Map;
+
+import org.springframework.context.expression.MapAccessor;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+
+/**
+ * Utility class for evaluating username expressions in OAuth2 user information.
+ *
+ * @author Yoobin Yoon
+ * @since 7.0
+ */
+public final class OAuth2UsernameExpressionUtils {
+
+	private static final String INVALID_USERNAME_EXPRESSION_ERROR_CODE = "invalid_username_expression";
+
+	private static final String INVALID_USER_INFO_RESPONSE_ERROR_CODE = "invalid_user_info_response";
+
+	private static final ExpressionParser expressionParser = new SpelExpressionParser();
+
+	/**
+	 * Evaluates a SpEL expression to extract the username from user attributes.
+	 *
+	 * <p>
+	 * Examples:
+	 * <ul>
+	 * <li>Simple attribute: {@code "username"} or {@code "['username']"}</li>
+	 * <li>Nested attribute: {@code "data.username"}</li>
+	 * <li>Complex expression: {@code "user_info?.name ?: 'anonymous'"}</li>
+	 * </ul>
+	 * @param attributes the user attributes (used as SpEL root object)
+	 * @param usernameExpression the SpEL expression to evaluate
+	 * @return the evaluated username (never null)
+	 * @throws OAuth2AuthenticationException if expression is invalid or evaluates to null
+	 */
+	public static String evaluateUsername(Map<String, Object> attributes, String usernameExpression) {
+		Object value = null;
+
+		try {
+			SimpleEvaluationContext context = SimpleEvaluationContext.forPropertyAccessors(new MapAccessor())
+				.withRootObject(attributes)
+				.build();
+			value = expressionParser.parseExpression(usernameExpression).getValue(context);
+		}
+		catch (Exception ex) {
+			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USERNAME_EXPRESSION_ERROR_CODE,
+					"Invalid username expression or SPEL expression: " + usernameExpression, null);
+			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString(), ex);
+		}
+
+		if (value == null) {
+			OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE,
+					"An error occurred while attempting to retrieve the UserInfo Resource: username cannot be null",
+					null);
+			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
+		}
+		return value.toString();
+	}
+
+	private OAuth2UsernameExpressionUtils() {
+	}
+
+}

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcReactiveOAuth2UserServiceTests.java

@@ -316,36 +316,6 @@ public void loadUserWhenTokenDoesNotContainScopesThenNoScopeAuthorities() {
 		assertThat(userAuthority.getUserNameAttributeName()).isEqualTo("id");
 	}
 
-	@Test
-	public void loadUserWhenCustomOidcUserConverterSetThenUsed() {
-		ClientRegistration clientRegistration = TestClientRegistrations.clientRegistration()
-			.userInfoUri("https://example.com/user")
-			.userInfoAuthenticationMethod(AuthenticationMethod.HEADER)
-			.userNameAttributeName(StandardClaimNames.SUB)
-			.build();
-		this.accessToken = TestOAuth2AccessTokens.scopes(clientRegistration.getScopes().toArray(new String[0]));
-		Converter<OidcUserSource, Mono<OidcUser>> oidcUserConverter = mock(Converter.class);
-		String nameAttributeKey = IdTokenClaimNames.SUB;
-		OidcUser actualUser = new DefaultOidcUser(AuthorityUtils.createAuthorityList("a", "b"), this.idToken,
-				nameAttributeKey);
-		OAuth2User oauth2User = new DefaultOAuth2User(actualUser.getAuthorities(), actualUser.getClaims(),
-				nameAttributeKey);
-		ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2 = mock(ReactiveOAuth2UserService.class);
-		given(oauth2.loadUser(any())).willReturn(Mono.just(oauth2User));
-		given(oidcUserConverter.convert(any())).willReturn(Mono.just(actualUser));
-		this.userService.setOauth2UserService(oauth2);
-		this.userService.setOidcUserConverter(oidcUserConverter);
-		OidcUserRequest userRequest = new OidcUserRequest(clientRegistration, this.accessToken, this.idToken);
-		OidcUser user = this.userService.loadUser(userRequest).block();
-		assertThat(user).isEqualTo(actualUser);
-		ArgumentCaptor<OidcUserSource> metadataCptr = ArgumentCaptor.forClass(OidcUserSource.class);
-		verify(oidcUserConverter).convert(metadataCptr.capture());
-		OidcUserSource metadata = metadataCptr.getValue();
-		assertThat(metadata.getUserRequest()).isEqualTo(userRequest);
-		assertThat(metadata.getOauth2User()).isEqualTo(oauth2User);
-		assertThat(metadata.getUserInfo()).isNotNull();
-	}
-
 	@Test
 	public void loadUserWhenNestedUserInfoSuccessThenReturnUser() throws IOException {
 		// @formatter:off