Fix broken OAUTH2.0 authorization_code flow.

[fhanik]

When configuring an Oauth2.0 provider that returns opaque access tokens, the UAA throws an error trying to parse it as it assumes it is a JWT id_token

Easy to reproduce by adding Github as an OAuth provider in uaa.yml

login:
  oauth:
    providers:
      github:
        type: oauth2.0
        authUrl:     https://github.com/login/oauth/authorize
        tokenUrl:     https://github.com/login/oauth/access_token
        userInfoUrl:     https://api.github.com/user
        issuer: https://github.com
        relyingPartyId: <your-github-app-client-id>
        relyingPartySecret: <your-github-app-client-secret>
        performRpInitiatedLogout: false
        scopes:
          - openid
        linkText: Login with Github
        showLinkText: true
        attributeMappings:
          user_name: login
        clientAuthInBody: true
        externalGroupsWhitelist:
          - "*"

[Copilot]

Pull Request Overview

This PR fixes the OAuth 2.0 authorization code flow by preventing the UAA from incorrectly parsing opaque access tokens as JWT ID tokens. The fix allows OAuth 2.0 providers like GitHub that return opaque access tokens to work properly with the UAA.

• Modified token handling logic to differentiate between OAuth 2.0 access tokens and OIDC ID tokens
• Added test coverage to verify OAuth 2.0 authorization flow with opaque access tokens works correctly

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
ExternalOAuthAuthenticationManager.java	Added conditional logic to properly handle OAuth 2.0 access tokens vs OIDC ID tokens
ExternalOAuthAuthenticationManagerTest.java	Added test case to verify OAuth 2.0 flow with opaque access tokens

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The hardcoded string 'access_token' should be extracted to a constant to improve maintainability and reduce the risk of typos.

[strehle]

I wonder about because github use case it not what I tested that much but there were some changes and improvements in past, e.g. https://github.com/cloudfoundry/uaa/commits/7e671a0ea1ba4c74b096dcfd33685edadbf82dce/docs/github-oauth2-provider.md so that I was thinking we have all, e.g. tests for this are in
https://github.com/cloudfoundry/uaa/blob/develop/server/src/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationManagerGithubTest.java

[fhanik]

@strehle @adrianhoelzl-sap It appears that we no longer have an actual Github OAuth2.0 test, so I added one to make it clear.

You can take commit 4ab33f7 against develop and see it failing.