Luke Xu created CXF-8731: ---------------------------- Summary: codeParam fetched in ClientCodeRequestFilter#processCodeResponse should get URL decoded Key: CXF-8731 URL: https://issues.apache.org/jira/browse/CXF-8731 Project: CXF Issue Type: Bug Components: JAX-RS Security Affects Versions: 3.4.0 Reporter: Luke Xu
Hi, I'm setting up some JAXRS resources behind Google OAuth Authorization using org.apache.cxf.rs.security.oauth2.client.ClientCodeRequestFilter. During the process, I have got the access code back successfully. However, ClientCodeRequestFilter can't go on to the next step to get the access token. Some debugging works shows that when ClientCodeRequestFilter calls processCodeResponse(), the codeParam fetched from the redirection request is not URL decoded. Google's code usually starts with '4/', while not decoded it's '4%2F'. The later OAuthClientUtils.getAccessToken() only works with '4/', the decoded code. I think this should be a bug. But if it's me who missed some configuration, I'm also glad to know. Thanks in advance. {code:java} protected void processCodeResponse(ContainerRequestContext rc, UriInfo ui, MultivaluedMap<String, String> requestParams) { MultivaluedMap<String, String> state = null; if (clientStateManager != null) { state = clientStateManager.fromRedirectState(mc, requestParams); } /*The following codeParam is URL encoded thus when it is passed on to the grant and the later OAuthClientUtils, the getAccessToken() fails.*/ String codeParam = requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE); ClientAccessToken at = null; if (codeParam != null) { AuthorizationCodeGrant grant = prepareCodeGrant(codeParam, getAbsoluteRedirectUri(ui)); if (state != null) { grant.setCodeVerifier(state.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER)); } at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, consumer, grant, useAuthorizationHeader); } ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, requestParams, state); if (at != null && clientTokenContextManager != null) { clientTokenContextManager.setClientTokenContext(mc, tokenContext); } setClientCodeRequest(tokenContext); } {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)