Description
Expected Behavior
A UserInfo request isn't performed by default in OpenID Connect login (oauth2Login() with openid and any of profile, email, address and phone scopes). A user should still be able to opt-in to calling the UserInfo endpoint to obtain additional claims for the OAuth2AuthenticationToken.
Current Behavior
A UserInfo request is performed whenever the ClientRegistration.providerDetails.userInfoEndpoint.uri (user-info-uri in Spring Boot properties) property is set, and any of profile, email, address or phone scopes are requested with openid.
Context
It is currently possible to disable the UserInfo request by either setting the user-info-uri property to blank, or calling OidcUserService#setShouldRetrieveUserInfo() with a Predicate<OidcUserRequest>. However, requesting UserInfo may not be required in most cases. It would be nice to default to not calling the UserInfo endpoint in Spring Security 7, which would reduce the number of requests made during login.
Related gh-16340