Error while extracting response for type [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse]

[yoav-klein]

Describe the bug
When trying to use Spring Security to enable Google authentication, without Spring Boot, as described in https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html , I keep getting the error:

[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: Error while extracting response for type [org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse] and content type [application/json;charset=utf-8]

As far as I managed to debug this, it seems that the user agent is redirected from the authorization server back to the application with the authorization code, the client app exchanges the authorization code with an access token and ID token, but it seems that it can't translate the JSON object to a OAuth2AccessTokenResponse from a reason I couldn't discover.

Digging down the rabbit whole, I managed to see the actual response received from the token endpoint:

{
  "access_token": "ya29..xxxxx-ObUjFSl6cErFz6oUmuXw86Aki9kb5bVBKv1zysS2_KPF9q-xxxx",
  "expires_in": 3599,
  "scope": "https://www.googleapis.com/auth/userinfo.email openid https://www.googleapis.com/auth/userinfo.profile",
  "token_type": "Bearer",
  "id_token": "eyJhbGciOiJSUzI1NixxxxY2UzNTk4YzQ3M2FmMWJkYTRiZmY5NWU2Yzg3MzY0NTAyMDZmYmEiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOixxxxx1d0kdTSGk-RKUn84YDfs0t8JBdl1rZu0kVZmGOc_LRoeWQxSWuVlWoO1_9AoMUU-eJTxxxxGxyOXuQkHA"
}

To Reproduce

@Configuration
@EnableWebSecurity(debug=true)
public class SpringConfig {

    Logger logger = Logger.getLogger("MyLogger");

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http)  throws Exception {
        http
        .authorizeHttpRequests(authorize -> authorize
            .anyRequest().authenticated()
        )
        .oauth2Login(Customizer.withDefaults());
        return http.build();
    }
   @Bean
	public ClientRegistrationRepository clientRegistrationRepository() {
		return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
	}
   private ClientRegistration googleClientRegistration() {
		return CommonOAuth2Provider.GOOGLE.getBuilder("google")
			.clientId("xxx")
			.clientSecret("xxx")
			.build();
	}

Expected behavior
I expect that google authentication will work just fine.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

[kse-music]

You need add jackson or Gson dependency

implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.18.2'

[yoav-klein]

Wow, could be nice to document this, or at least have some informative exception message thrown

[jzheaux]

I think that's fair, @yoav-klein. I've updated this ticket so the documentation gets updated.

I think it would be nice if OAuth2 Core and OAuth2 Client non-Boot documentation indicated the Jackson requirement.