v.4.4.0-beta.1
Describe the bug
[invalid_request] AADSTS9000411: The request is not properly formatted. The parameter 'scope' is duplicated.
AadOAuth2AuthorizationCodeGrantRequestEntityConverter will be executed multiple times and adds parameter "scope" into request body.
1.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
2.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
3.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
...
To Reproduce
Added proxy support. Used RestTemplateCustomizer:
@Bean
public RestTemplateCustomizer proxyCustomizer() {
return restTemplate -> {
Proxy proxy = new Proxy(Type.HTTP, new InetSocketAddress("127.0.0.1", 8888));
SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
requestFactory.setProxy(proxy);
restTemplate.setRequestFactory(requestFactory);
};
}
Used the default AadWebSecurityConfigurerAdapter for web security config.
Authorization/Authentification fails: org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient#getTokenResponse
-> access token in OAuth2AccessTokenResponse is empty.
Exception or Stack Trace
Oauth2 flow:
[http-nio-8080-exec-5]: org.springframework.security.web.FilterChainProxy: Securing GET /oauth2/authorization/azure
[http-nio-8080-exec-5]: org.springframework.security.web.context.SecurityContextPersistenceFilter: Set SecurityContextHolder to empty SecurityContext
[http-nio-8080-exec-5]: org.springframework.security.web.DefaultRedirectStrategy: Redirecting to https://login.microsoftonline.com/xyz/oauth2/v2.0/authorize?response_type=code&client_id=xyzxyz&scope=openid%20profile%20offline_access%20https://graph.microsoft.com/Directory.Read.All&state=xyzard%3D&redirect_uri=http://localhost:8080/nautilus/newbusiness/login/oauth2/code/&nonce=xyzafg
[http-nio-8080-exec-6]: org.springframework.security.web.FilterChainProxy: Securing GET /login/oauth2/code/?code=0.ATAxyzae5c
tokenResponse.getAccessToken() is null and fails at
`if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {`
`java.lang.NullPointerException: null
at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:80)
at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:57)
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.getResponse(OidcAuthorizationCodeAuthenticationProvider.java:170)
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:144)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)`
Screenshots
After 8 attempts:

Setup (please complete the following information):
- OS: Windows
- IDE: IntelliJ
- Library/Libraries: Azure SDK 4.4.0-beta.1 from SEP-28-2022 main-branch.
- Java version: 11
- App Server/Environment: Spring Boot Oauth2 (tomcat)+Azure
- Frameworks: Spring Boot 2.6.7
v.4.4.0-beta.1
Describe the bug
[invalid_request] AADSTS9000411: The request is not properly formatted. The parameter 'scope' is duplicated.
AadOAuth2AuthorizationCodeGrantRequestEntityConverter will be executed multiple times and adds parameter "scope" into request body.
1.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
2.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
3.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
...
To Reproduce
Added proxy support. Used RestTemplateCustomizer:
Used the default AadWebSecurityConfigurerAdapter for web security config.
Authorization/Authentification fails: org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient#getTokenResponse
-> access token in OAuth2AccessTokenResponse is empty.
Exception or Stack Trace
Screenshots

After 8 attempts:
Setup (please complete the following information):