OAuth2AuthorizationCodeRequestAuthenticationConverter can not handle multi-valued parameters

According to section 2.1 of [RFC 8707 - Resource Indicators for OAuth 2.0](https://www.rfc-editor.org/rfc/rfc8707.html) multiple resource values should be sent as the example below:

```
  GET /as/authorization.oauth2?response_type=code
     &client_id=s6BhdRkqt3
     &state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI
     &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
     &scope=calendar%20contacts
     &resource=https%3A%2F%2Fcal.example.com%2F
     &resource=https%3A%2F%2Fcontacts.example.com%2F HTTP/1.1
  Host: authorization-server.example.com
```

The `OAuth2AuthorizationCodeRequestAuthenticationConverter.convert` method only handles single value parameters:

```
Map<String, Object> additionalParameters = new HashMap<>();
parameters.forEach((key, value) -> {
  if (!key.equals(OAuth2ParameterNames.RESPONSE_TYPE) &&
      !key.equals(OAuth2ParameterNames.CLIENT_ID) &&
      !key.equals(OAuth2ParameterNames.REDIRECT_URI) &&
      !key.equals(OAuth2ParameterNames.SCOPE) &&
      !key.equals(OAuth2ParameterNames.STATE)) {
  additionalParameters.put(key, value.get(0));
}
```
This leads to that only the first resource parameter value is saved in the resulting `OAuth2AuthorizationCodeRequestAuthenticationToken`.




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OAuth2AuthorizationCodeRequestAuthenticationConverter can not handle multi-valued parameters #1250

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OAuth2AuthorizationCodeRequestAuthenticationConverter can not handle multi-valued parameters #1250

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions