OidcAuthorizationCodeAuthenticationProvider adds FactorGrantedAuthority#19141
Open
louis-jaris wants to merge 1 commit intospring-projects:mainfrom
Open
OidcAuthorizationCodeAuthenticationProvider adds FactorGrantedAuthority#19141louis-jaris wants to merge 1 commit intospring-projects:mainfrom
louis-jaris wants to merge 1 commit intospring-projects:mainfrom
Conversation
Mirror what OAuth2LoginAuthenticationProvider already does on a successful authentication: append a FACTOR_AUTHORIZATION_CODE FactorGrantedAuthority to the resulting authentication's authorities. Without this, OIDC logins were missing the factor authority that JwtGenerator.getAuthenticationTime relies on to derive the OIDC `auth_time` claim, breaking id_token issuance for the authorization_code grant when a SessionInformation is registered (the assertion fails with "authenticationTime cannot be null").
spring-projects-issues
added
the
status: waiting-for-triage
mradul17
approved these changes
May 1, 2026
louis-jaris
commented
May 1, 2026
| Authentication authentication = this.securityContextRepository | ||
| .loadContext(new HttpRequestResponseHolder(this.request, this.response)) | ||
| .getAuthentication(); | ||
| assertThat(authentication.getAuthorities()).hasSize(1); |
Author
There was a problem hiding this comment.
My Claude removed this line, but I guess we can also transform the 1 into 2 ? I don't know what is the standard you want guys
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirror what OAuth2LoginAuthenticationProvider already does on a successful authentication: append a FACTOR_AUTHORIZATION_CODE FactorGrantedAuthority to the resulting authentication's authorities.
Without this, OIDC logins were missing the factor authority that JwtGenerator.getAuthenticationTime relies on to derive the OIDC
auth_timeclaim, breaking id_token issuance for the authorization_code grant when a SessionInformation is registered (the assertion fails with "authenticationTime cannot be null").NOTE: this code changes have been generated by my Claude Code... Just letting you know....
Fixes #19140