We use spring spring-security-oauth2-client dependency for OIDC (openID connect Authorization Grant) type login flow . In this flow we internally invoke toke endpoint to fetch token. We OAuth2AuthorizationGrantRequestEntityUtils to prepare Authorization Header using clientId and secret . When we were using 5.4.4 version of spring-security-oauth2-client , value of Authorization Header is created from Base64 encoding of clientId:secret .
But when we updated to spring-security-oauth2-client:5.5.1 class OAuth2AuthorizationGrantRequestEntityUtils
clientId and ClientSecret is encode using (URLEncoder.encode) before doing Base64 encoding of clientId and secret and pass them in authorization header as basic in token endpoint for OIDC login flow . Now issue if we have a special character in clientId-secret like '%' url encoder is changing it and our authorization server not able to validate authorization header of token endpoint .
String clientId = **encodeClientCredential**(clientRegistration.getClientId());
String clientSecret = **encodeClientCredential**(clientRegistration.getClientSecret());
Here we also have concern does this mentioned in OIDC spec to do (URLEncoder.encode) before doing Base64 encode. As this will cause problem for all client having client-secret with special character in them, as Authorization server will not able to validate them.
It will be helpfull if you inform the reason for doing this change .
Comment From: marcusdacoregio
Thanks for your report @Dineshseervi.
This is related to #10018. The version 5.5.1 of Spring Security was affected by that change.
Can you upgrade your spring-security-oauth2-client dependency to version 5.5.2? Since it does not encode the credentials.
Comment From: Dineshseervi
@marcusdacoregio Thanks for you response , Yes this will help us .