Serialization of TokenRequest with ClientSecretPost Client Authentication Method fails

Issue #104 resolved
Former user created an issue

Problem: As the following test case shows, the serialization of a TokenRequest containing a ClientSecretPost Client Authentication Method into a HTTPRequest does not work as expected:

    @Test
    public void shouldSupportTokenRequestClientSecretPostSerialization() throws Exception {
        AuthorizationCode code = new AuthorizationCode();
        URI endpointUri = new URI("https://token.endpoint.uri/token");
        URI redirectUri = new URI("https://arbitrary.redirect.uri/");
        ClientID clientId = new ClientID("client");
        Secret secret = new Secret("secret");
        ClientSecretPost clientAuthentication = new ClientSecretPost(clientId,secret);
        AuthorizationGrant grant = new AuthorizationCodeGrant(code,redirectUri);
        TokenRequest request = new TokenRequest(endpointUri,clientAuthentication,grant);

        HTTPRequest httpRequest = request.toHTTPRequest();
        TokenRequest reconstructedRequest = TokenRequest.parse(httpRequest);
        // -> throws ParseException: Missing required "client_id" parameter
    }

Problem lies within these lines of TokenRequest.toHTTPRequest():

        if (getClientAuthentication() != null)
            getClientAuthentication().applyTo(httpRequest);

        Map<String,String> params = authzGrant.toParameters();

        if (scope != null && ! scope.isEmpty()) {
            params.put("scope", scope.toString());
        }

        if (clientID != null) {
            params.put("client_id", clientID.getValue());
        }

        httpRequest.setQuery(URLUtils.serializeParameters(params));

The client_id and client_secret parameters are placed (by getClientAuthentication().applyTo(httpRequest))) in the query member of HTTPRequest. This query member is later on overwritten by httpRequest.setQuery(URLUtils.serializedParameters(params)).

Possible fix: params should include the already set parameters or applyTo(httpRequest) must be called after setQuery(URLUtils.serializeParameters(params)) to make sure query parameters are not overwritten by setQuery().

Tested Version: 4.4.1

Comments (6)

  1. Connect2id OSS

    The fix was released as version 4.4.2 and pushed to Maven Central.

    Thank you for contributing!

  2. Log in to comment