Like DefaultBearerTokenResolver, ServerBearerTokenAuthenticationConverter should fail when two access_token parameters are present.
Currently, the code does:
String parameterToken = request.getQueryParams().getFirst("access_token");
but the RFC states that if there is more than one access_token parameter, the request should be rejected instead of guessing which token to use (emphasis mine):
invalid_request The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed. The resource server SHOULD respond with the HTTP 400 (Bad Request) status code.
Comment From: jgrandja
@jzheaux This is scheduled for 5.2.x. Is this still valid?
Comment From: DarrenForsythe
@jzheaux I can submit a PR that replicates the imperative implementation to the reactive version
Comment From: jzheaux
@DarrenForsythe, sorry for the delay in getting back to you. Thank you for offering, that would be great!