Spring Security Resolved bearer token has no padding indicators

Describe the bug DefaultBearerTokenResolver.resolve is returning bearer token by ignoring padding indicators (=). Example of bearer token that's obtained from auth server is 'A66dXefVMHSGWBrUA5Iw='. Due to this, auth server token validation request is failing with InvalidTokenException (as it's not able to load the resolved token (without = char) from it's database

To Reproduce Obtain Opaque token from authserver end point /oauth/token and supply this token to resource server which has been configured with below beans that resolves bearer token and validates it with auth server

Resource server bean configuration:

@Bean
BearerTokenResolver bearerTokenResolver() {
    return new DefaultBearerTokenResolver();
}

@Bean AuthenticationProvider authProivder() { var introspector = new new NimbusOpaqueTokenIntrospector('auth-server-check-token-endpoint', 'client-id', 'client-secret'); return new OpaqueTokenAuthenticationProvider(introspector); }

Resource server version info: org.springframework.security:spring-security-oauth2-resource-server:5.2.2.RELEASE

Auth server version info: org.springframework.security.oauth:spring-security-oauth2:2.4.1.RELEASE

Expected behavior DefaultBearerTokenResolver.resolve() should return the same token (that's been supplied in the header) after validating it

Comment From: jzheaux

@vpavic can you confirm whether or not it was intentional to leave the = signs out of the capture?

It appears that = is part of the definition:

 b64token    = 1*( ALPHA / DIGIT /
                       "-" / "." / "_" / "~" / "+" / "/" ) *"="
 credentials = "Bearer" 1*SP b64token

Comment From: vpavic

Sorry for the late follow-up - I don't recall any specific intent around that.