Simplify Disabling application/x-www-form-urlencoded Encoding Client ID and Secret

[rwinch]

There are quite a few authorization servers (see how many users have commented on gh-10018) that do not URL Encode the Client ID and Secret as required by the OAuth specification. There is a way to customize the configuration to support this use-case, but is quite verbose given the number of users experiencing the problem. We should provide an easier way to disable URL encoding.

[Crain-32]

@sjohnr I've encountered this issue myself now, and dug up this issue while researching the problem.

Since you're assigned to this issue, what sort of approach were you thinking for it? Since it appears that from the issues that it's either all Base64 encoded, or URL Escaped and then encoded, I think we can just put a property into the OAuth2 registration.

Something like,
spring.security.oauth2.client.registration.myRegistration.base64-encoder-escaped=false # or true

Since it's in the client registration, we only have to adjust the OAuth2AuthorizationGrantRequestEntityUtils::getTokenRequestHeaders to the following.

static HttpHeaders getTokenRequestHeaders(ClientRegistration clientRegistration) {
	HttpHeaders headers = new HttpHeaders();
	headers.addAll(DEFAULT_TOKEN_REQUEST_HEADERS);
        final boolean escapeEncoding = clientRegistration.escapeEncoding();
	if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
			|| ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
		String clientId = escapeEncoding ? clientId : encodeClientCredential(clientRegistration.getClientId());
		String clientSecret = escapeEncoding ? clientSecret : encodeClientCredential(clientRegistration.getClientSecret());
		headers.setBasicAuth(clientId, clientSecret);
	}
	return headers;
}

[sjohnr]

Hi @Crain-32, thanks for thinking about this! Sadly I have not been able to prioritize this issue, but it seems like it would be helpful to make a solution available. I think it would be fine for a contributor from the community to work on it as well. Would you like to?

I think we can just put a property into the OAuth2 registration.

I don't prefer this approach, and generally we don't want to introduce properties into ClientRegistration for specific client authentication methods. Instead, customization should be applied using provided hooks. In this case, AbstractOAuth2AuthorizationGrantRequestEntityConverter (and all subclasses) have setHeadersConverter(Converter<T, HttpHeaders> headersConverter).

So my preference would be to introduce a new public class with a setter containing a boolean flag to enable/disable this behavior. Something like:

public final class DefaultOAuth2TokenRequestHeadersConverter<T extends AbstractOAuth2AuthorizationGrantRequest>
        implements Converter<T, HttpHeaders> {

    private boolean encodeClientCredentials = true;

    // setter and implementation...

}

It's also possible we would want to introduce a factory method instead of a public class, so we'd need to think about that before committing to either approach. Any thoughts on this?

[Crain-32]

Thanks for the fast response @sjohnr! I'd love to work on this.

However, I will admit that I don't have the biggest understanding of all the OAuth2 Builders available, so I'll attempt to do a factory/class style, and copy some of what I see around it. I know there is the public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) for example. Which will probably be my starting point.

Just to make sure I got a solid grasp of what to look at, I'd assume the result should also include the following,

• Default Behavior is still Java's URLEncoder of the Values before passing them to the Basic Auth. (Existing Tests should cover this)
• Some sort of Note/Tip in the Spring Security OAuth2 Documentation about this.
• Some sort of small test.

[sjohnr]

I know there is the public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) for example. Which will probably be my starting point.

Take a look at OAuth2AuthorizationRequestCustomizers.withPkce() as this is more what I was thinking for a factory method. In our case, it would return a Converter<T, HttpHeaders>. But again I'm not sure we will go with a factory method, so don't spend too much time on it yet. I'll converse with @jgrandja this week and get back to you.

I'd assume the result should also include the following,

• Default Behavior is still Java's URLEncoder of the Values before passing them to the Basic Auth. (Existing Tests should cover this)

• Some sort of Note/Tip in the Spring Security OAuth2 Documentation about this.

• Some sort of small test.

I agree!