Serialization of TokenRequest with ClientSecretPost Client Authentication Method fails
Problem: As the following test case shows, the serialization of a TokenRequest containing a ClientSecretPost Client Authentication Method into a HTTPRequest does not work as expected:
@Test
public void shouldSupportTokenRequestClientSecretPostSerialization() throws Exception {
AuthorizationCode code = new AuthorizationCode();
URI endpointUri = new URI("https://token.endpoint.uri/token");
URI redirectUri = new URI("https://arbitrary.redirect.uri/");
ClientID clientId = new ClientID("client");
Secret secret = new Secret("secret");
ClientSecretPost clientAuthentication = new ClientSecretPost(clientId,secret);
AuthorizationGrant grant = new AuthorizationCodeGrant(code,redirectUri);
TokenRequest request = new TokenRequest(endpointUri,clientAuthentication,grant);
HTTPRequest httpRequest = request.toHTTPRequest();
TokenRequest reconstructedRequest = TokenRequest.parse(httpRequest);
// -> throws ParseException: Missing required "client_id" parameter
}
Problem lies within these lines of TokenRequest.toHTTPRequest():
if (getClientAuthentication() != null)
getClientAuthentication().applyTo(httpRequest);
Map<String,String> params = authzGrant.toParameters();
if (scope != null && ! scope.isEmpty()) {
params.put("scope", scope.toString());
}
if (clientID != null) {
params.put("client_id", clientID.getValue());
}
httpRequest.setQuery(URLUtils.serializeParameters(params));
The client_id and client_secret parameters are placed (by getClientAuthentication().applyTo(httpRequest))) in the query member of HTTPRequest. This query member is later on overwritten by httpRequest.setQuery(URLUtils.serializedParameters(params)).
Possible fix: params should include the already set parameters or applyTo(httpRequest) must be called after setQuery(URLUtils.serializeParameters(params)) to make sure query parameters are not overwritten by setQuery().
Tested Version: 4.4.1
Comments (6)
-
-
- changed status to open
-
Added contributed test in commit e3c49b0, problem verified.
-
Fixed in commit f0186b0.
-
The fix was released as version 4.4.2 and pushed to Maven Central.
Thank you for contributing!
-
- changed status to resolved
- Log in to comment
Thank you for reporting this and the fix suggestion.