Spring Security OAuth Client Credentials Authorization Broken in 5.6.x

OAuth Client Credentials authorization (and some other grant types) is broken in 5.6.x. It was working correctly in 5.5.x. I tracked the issue down to here:

https://github.com/spring-projects/spring-security/blob/3b564b20263a51a95aacb733a950330186b41114/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java#L122

In 5.6.x, at lines 121 & 122, you introduced the call to encodeClientCredential() to encode the username and password. That's not the correct way of encoding basic auth. Basic auth should be encoded as:

Authorization: Basic base64(client_id:client_secret)

By URL encoding the client_secret which is typically a cryptographically random string, you are changing the secret itself. My cryptographically random secret contains a portion "G/g/Vv". In this case you are URL encoding the slashes which should not be done, you shouldn't encode anything here as you just concat client_id:client_secret and base64 that whole thing and pass in through the Authorization header which doesn't require URL encoding.

Comment From: sjohnr

@SledgeHammer01, this change was intentionally introduced in 5.6, per #9610 (and noted in 5.6.0-M1), which aligns us with RFC 6749, Section 2.3.1. We're aware that this spec unfortunately conflicts with RFC 2617.

See this comment if you need help working around the issue with a non-compliant provider. Also note that we've merged a change for #10130 which simplifies customizing headers beyond what the stackoverflow post linked above demonstrates.

I'm going to close this as working as designed. I understand that this is a frustrating experience as you upgrade, so please don't hesitate to ask if I can help clarify the workaround or anything else needed to get you going again. Thanks for your understanding.