Skip to content

[BUG] The parameter 'scope' is duplicated #31191

Description

@damir78

v.4.4.0-beta.1

Describe the bug
[invalid_request] AADSTS9000411: The request is not properly formatted. The parameter 'scope' is duplicated.
AadOAuth2AuthorizationCodeGrantRequestEntityConverter will be executed multiple times and adds parameter "scope" into request body.
1.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All

2.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All

3.Attempt:
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All
openid profile offline_access https://graph.microsoft.com/Directory.Read.All

...

To Reproduce
Added proxy support. Used RestTemplateCustomizer:

@Bean
public RestTemplateCustomizer proxyCustomizer() {
  return restTemplate -> {
    Proxy proxy = new Proxy(Type.HTTP, new InetSocketAddress("127.0.0.1", 8888));
    SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
    requestFactory.setProxy(proxy);
    restTemplate.setRequestFactory(requestFactory);
  };
}

Used the default AadWebSecurityConfigurerAdapter for web security config.
Authorization/Authentification fails: org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient#getTokenResponse
-> access token in OAuth2AccessTokenResponse is empty.

Exception or Stack Trace

Oauth2 flow:
[http-nio-8080-exec-5]: org.springframework.security.web.FilterChainProxy: Securing GET /oauth2/authorization/azure
[http-nio-8080-exec-5]: org.springframework.security.web.context.SecurityContextPersistenceFilter: Set SecurityContextHolder to empty SecurityContext
[http-nio-8080-exec-5]: org.springframework.security.web.DefaultRedirectStrategy: Redirecting to https://login.microsoftonline.com/xyz/oauth2/v2.0/authorize?response_type=code&client_id=xyzxyz&scope=openid%20profile%20offline_access%20https://graph.microsoft.com/Directory.Read.All&state=xyzard%3D&redirect_uri=http://localhost:8080/nautilus/newbusiness/login/oauth2/code/&nonce=xyzafg

[http-nio-8080-exec-6]: org.springframework.security.web.FilterChainProxy: Securing GET /login/oauth2/code/?code=0.ATAxyzae5c

tokenResponse.getAccessToken()  is null and fails at 
`if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {`

`java.lang.NullPointerException: null
	at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:80)
	at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:57)
	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.getResponse(OidcAuthorizationCodeAuthenticationProvider.java:170)
	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:144)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)`

Screenshots
After 8 attempts:
image

Setup (please complete the following information):

  • OS: Windows
  • IDE: IntelliJ
  • Library/Libraries: Azure SDK 4.4.0-beta.1 from SEP-28-2022 main-branch.
  • Java version: 11
  • App Server/Environment: Spring Boot Oauth2 (tomcat)+Azure
  • Frameworks: Spring Boot 2.6.7

Metadata

Metadata

Assignees

Labels

azure-springAll azure-spring related issuesazure-spring-aadSpring active directory related issues.bugThis issue requires a change to an existing behavior in the product in order to be resolved.customer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions