Fix broken OAUTH2.0 authorization_code flow.

When configuring an Oauth2.0 provider that returns opaque access tokens, the UAA throws an error trying to parse it as it assumes it is a JWT id_token

Easy to reproduce by adding Github as an OAuth provider in uaa.yml

login:
  oauth:
    providers:
      github:
        type: oauth2.0
        authUrl:     https://github.com/login/oauth/authorize
        tokenUrl:     https://github.com/login/oauth/access_token
        userInfoUrl:     https://api.github.com/user
        issuer: https://github.com
        relyingPartyId: <your-github-app-client-id>
        relyingPartySecret: <your-github-app-client-secret>
        performRpInitiatedLogout: false
        scopes:
          - openid
        linkText: Login with Github
        showLinkText: true
        attributeMappings:
          user_name: login
        clientAuthInBody: true
        externalGroupsWhitelist:
          - "*"

Author: fhanik

server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManager.java

@@ -116,6 +116,7 @@
 import static java.util.Collections.singletonMap;
 import static java.util.Objects.isNull;
 import static java.util.stream.Collectors.toSet;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.OAUTH20;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.SUB;
 import static org.cloudfoundry.identity.uaa.oauth.token.CompositeToken.ID_TOKEN;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_AUTHORIZATION_CODE;
@@ -609,9 +610,14 @@ protected <T extends AbstractExternalOAuthIdentityProviderDefinition<T>> Map<Str
             ExternalOAuthCodeToken codeToken,
             final IdentityProvider<T> identityProvider
     ) {
-        String idToken = getTokenFromCode(codeToken, identityProvider);
-        codeToken.setIdToken(idToken);
-        return getClaimsFromToken(idToken, identityProvider);
+        String tokenFieldName = getTokenFieldName(identityProvider.getConfig());
+        String token = getTokenFromCode(codeToken, identityProvider);
+        if ("access_token".equals(tokenFieldName) && token != null && OAUTH20.equals(identityProvider.getType())) {
+            codeToken.setAccessToken(token);
+        } else {
+            codeToken.setIdToken(token);
+        }
+        return getClaimsFromToken(token, identityProvider);
     }
 
     protected <T extends AbstractExternalOAuthIdentityProviderDefinition<T>> Map<String, Object> getClaimsFromToken(

server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerTest.java

@@ -30,6 +30,7 @@
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
+import org.cloudfoundry.identity.uaa.provider.RawExternalOAuthIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.scim.ScimGroupExternalMember;
 import org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimGroupExternalMembershipManager;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
@@ -40,6 +41,7 @@
 import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
+import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager;
 import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManagerImpl;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -83,6 +85,7 @@
 import static org.assertj.core.api.Assertions.assertThatNoException;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.Assertions.fail;
+import static org.cloudfoundry.identity.uaa.constants.OriginKeys.OAUTH20;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.AUD;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EMAIL;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.EXPIRY_IN_SECONDS;
@@ -1083,6 +1086,49 @@ void oidcPasswordGrantWithPrompts() throws MalformedURLException, JOSEException
         assertThat(headers).doesNotContainKey("X-Forwarded-For");
     }
 
+    @Test
+    void oauth20AuthorizationFlowWithUserInfo() throws Exception {
+
+        final ExternalOAuthCodeToken codeToken = new ExternalOAuthCodeToken("thecode", "some-origin", "http://google.com", null, null, "signedrequest");
+        final RestTemplate restTemplate = mock(RestTemplate.class);
+        final ResponseEntity<Map<String, Object>> responseEntity = mock(ResponseEntity.class);
+        when(responseEntity.getStatusCode()).thenReturn(HttpStatus.OK);
+        when(responseEntity.getBody()).thenReturn(Collections.emptyMap());
+        when(restTemplate.exchange(any(URI.class), eq(HttpMethod.GET), any(HttpEntity.class), any(ParameterizedTypeReference.class))).thenReturn(responseEntity);
+        authManager = new ExternalOAuthAuthenticationManager(
+                identityProviderProvisioning,
+                mock(IdentityZoneManager.class),
+                restTemplate,
+                restTemplate,
+                tokenEndpointBuilder,
+                new KeyInfoService("http://uaa.example.com"),
+                null
+        ) {
+            @Override
+            protected <T extends AbstractExternalOAuthIdentityProviderDefinition<T>> String getTokenFromCode(
+                    ExternalOAuthCodeToken codeToken,
+                    IdentityProvider<T> config
+            ) {
+                return "opaque-access-token";
+            }
+
+            @Override
+            public RestTemplate getRestTemplate(AbstractExternalOAuthIdentityProviderDefinition config) {
+                return restTemplate;
+            }
+        };
+        final RawExternalOAuthIdentityProviderDefinition config = new RawExternalOAuthIdentityProviderDefinition();
+        config.setResponseType("code");
+        config.setUserInfoUrl(URI.create("https://some.metadata.url/userinfo").toURL());
+        final IdentityProvider<AbstractExternalOAuthIdentityProviderDefinition> idp = new IdentityProvider<>();
+        idp.setType(OAUTH20);
+        idp.setConfig(config);
+        authManager.getClaimsFromToken(codeToken, idp);
+        assertThat(codeToken.getIdToken()).isNull();
+        assertThat(codeToken.getAccessToken()).isEqualTo("opaque-access-token");
+
+    }
+
     private static void assertAuthorizationHeaderIsSetAndStartsWithBasic(final HttpHeaders headers) {
         assertThat(headers).containsKey("Authorization");
         final List<String> authorizationHeaders = headers.get("Authorization");