SpringBoot OAuth2 authentication with custom provider fails because of "=" (%3D) padding mismatch.

I think this is a bug

I am using Spring security 6 (spring security config JAR 6.1.5) and spring boot 3.2.0.

I have set up a minimal project which reproduces the issue here: https://github.com/dannz89/oauth.

The README on the project contains more detail but the summary of the failure is that the session gets lost in the OAuth2 'handshake' due to the removal (either by the custom OAuth2 provider or by spring boot OAuth2) of the padding '=' (%3D) from the state parameter. I set a breakpoint at the start of:

public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) {...}

in org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter

Stepping into the method, I discovered that where the original state parameter value was (for example) '123455abdfffaaaa_08970987aaaffffddeee%3D', the state coming back once the code had been obtained from the OAuth2 provider was (for example) '123455abdfffaaaa_08970987aaaffffddeee' (in other words, the same but without the %3D).

The comparison of stored sessions therefore failed and the end result was [authorization_request_not_found].

Using Postman to authenticate using the same OAuth2 provider (WordPress plugin described in project README), the authentication works fine. So it seems to be an issue with how spring boot is handling the state parameter.

Comment From: wilkinsona

Thanks for the report and initial analysis of the problem. OAuth2LoginAuthenticationFilter is part of Spring Security which is managed as a separate project. Please report the issue to them so that they can continue the investigation.