Token endpoint should not use query parameters

[Milzor]

Describe the bug
The authorization server accepts query params as valid parameters for the token request

To Reproduce

http --form POST /oauth2/token?refresh_token=<your_refresh_token>&grant_type=refresh_token

Expected behavior
Request should be rejected

[jgrandja]

@Milzor Thanks for reporting this. We'll get a fix in soon.

[gregecho]

@jgrandja ,

Can I work on this bug if you haven't start?

Solution:
Should we just ignore the request which have the queryString?
if (!this.authorizationEndpointMatcher.matches(request) || !request.getQueryString().isEmpty()) { filterChain.doFilter(request, response); return; }
Btw, seems like the issue also can reproduce in the other oAuth2 endpoint filters.

[nverbos-godaddy]

This appears to be an issue for the code_verifier parameter as well.

[jgrandja]

@gregecho It would be great if you can work on fixing this.

The solution should be as simple as splitting OAuth2EndpointUtils.getParameters() into OAuth2EndpointUtils.getQueryParameters() and OAuth2EndpointUtils.getFormParameters(). Then you need to ensure the correct method is being called within the AuthenticationConverter's.

Makes sense?

[gregecho]

@jgrandja ,

Thanks for you insights! It does make sense to me.
I wanna to double confirm with you about the solution before I start to coding. In order to split OAuth2EndpointUtils.getParameters into getQueryParameters and getFormParameters, we need to get the body by String requestBody = StreamUtils.copyToString(request.getInputStream(), Charset.defaultCharset()); for getFormParameters and parse the requestBody String to a Map.

Btw, what content-type are we intend to support for token endpoint? Currently, we are supporting application/x-www-form-urlencoded and multipart/form-data. Both of below curls are supported:
curl -X "POST" "http://127.0.0.1:9001/oauth2/token" \ -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \ -H 'Cookie: JSESSIONID=713349FE4A5D5F12AFB293BCA89604AD' \ -u 'messaging-client:secret' \ --data-urlencode "code=6GH9i4ZRVILD2G2B73eMIP-4LoT7yhq0v0PEgo3G8UMJxRNr-kdrZy-yWplRyN7LcC-gw8uEaRwyZCmuwyrA_mytH_IAa1QXj_ynW6LPsFnP7Ax7FW28sVXWqQpD5Nhw" \ --data-urlencode "redirect_uri=http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc" \ --data-urlencode "grant_type=authorization_code"

`curl -X "POST" "http://127.0.0.1:9001/oauth2/token"
-H 'Content-Type: multipart/form-data; charset=utf-8; boundary=X_PAW_BOUNDARY'
-H 'Cookie: JSESSIONID=713349FE4A5D5F12AFB293BCA89604AD'
-u 'messaging-client:secret'
-F "code=6GH9i4ZRVILD2G2B73eMIP-4LoT7yhq0v0PEgo3G8UMJxRNr-kdrZy-yWplRyN7LcC-gw8uEaRwyZCmuwyrA_mytH_IAa1QXj_ynW6LPsFnP7Ax7FW28sVXWqQpD5Nhw"
-F "redirect_uri=http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc"
-F "grant_type=authorization_code"

`