Spring spring-security-oauth2-client:5.5.1 class OAuth2AuthorizationGrantRequestEntityUtils why UrlEncoder is added for client-secret

Why in spring-security-oauth2-client:5.5.1 Class->OAuth2AuthorizationGrantRequestEntityUtils clientId and ClientSecret is encode using (URLEncoder.encode) before Base64 encoding of clientId and secret .

We were using 5.4.4 version of spring-security-oauth2-client previously to fetch token using class OAuth2AuthorizationGrantRequestEntityUtils from external server .

After updating to spring-security-oauth2-client:5.5.1 spring had added logic to (URLEncoder.encode) client-secret which effect client-secret if they having special character and server not able to validate Authorization key we are sending to token endpoint.

     String clientId = **encodeClientCredential**(clientRegistration.getClientId());
     String clientSecret = **encodeClientCredential**(clientRegistration.getClientSecret());

Here we also have concern does this mentioned in OIDC spec to do (URLEncoder.encode) before doing Base64 encode. As this will cause problem for all client having client-secret with special character in them, as Authorization server will not able to validate them.

Comment From: bclozel

Could you create this issue against the Spring Security project?

This is the Spring Framework issue tracker and it doesn't look like this problem can be handled here.

Thanks!

Comment From: Dineshseervi

Thank

On Mon, Sep 20, 2021 at 5:00 PM Brian Clozel @.***> wrote:

Could you create this issue against the Spring Security project https://github.com/spring-projects/spring-security/issues?

This is the Spring Framework issue tracker and it doesn't look like this problem can be handled here.

Thanks!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-framework/issues/27440#issuecomment-922845096, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFPYOGNIY6PNDQE2U4WDC63UC4LNLANCNFSM5ELUE6EA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

-- Regards Dinesh Seervi