Skip to content

Oidc(ReactiveOAuth2)UserService uses userNameAttributeName when user info endpoint not invoked #17627

New issue
New issue
Open
Open
Oidc(ReactiveOAuth2)UserService uses userNameAttributeName when user info endpoint not invoked#17627
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug
@rwinch

Description

@rwinch
rwinch
opened on Jul 25, 2025

The property UserInfoEndpoint.userNameAttributeName is used to resolve the username from the even when the user info endpoint is not invoked (imperative / reactive).

The attribute should either:

  1. Only be used when the user info endpoint is invoked (when not invoked it would always use IdTokenClaimNames.SUB). This would be a breaking change or
  2. Be relocated to a place that is not specific to the user info endpoint. In this case, we could address this at the same time as the deprecation in Add SpEL support for nested username extraction in OAuth2 user info #16857

Note that this decision blocks gh-16857 since the usernameExpression might need moved off of the UserInfoEndpoint.

cc @jgrandja

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions