diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java index 6c9a814a..509885de 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java @@ -113,8 +113,6 @@ final class CodeVerifierAuthenticator { private static boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) { if (!StringUtils.hasText(codeVerifier)) { return false; - } else if (!StringUtils.hasText(codeChallengeMethod) || "plain".equals(codeChallengeMethod)) { - return codeVerifier.equals(codeChallenge); } else if ("S256".equals(codeChallengeMethod)) { try { MessageDigest md = MessageDigest.getInstance("SHA-256"); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java index dad30351..9c82e80f 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java @@ -210,7 +210,7 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen if (StringUtils.hasText(codeChallenge)) { String codeChallengeMethod = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE_METHOD); if (StringUtils.hasText(codeChallengeMethod)) { - if (!"S256".equals(codeChallengeMethod) && !"plain".equals(codeChallengeMethod)) { + if (!"S256".equals(codeChallengeMethod)) { throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI, authorizationCodeRequestAuthentication, registeredClient, null); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java index efb690a6..d2cb9ca5 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java @@ -94,7 +94,6 @@ public final class OAuth2AuthorizationServerMetadataEndpointFilter extends OnceP .tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods()) .tokenIntrospectionEndpoint(asUrl(issuer, this.providerSettings.getTokenIntrospectionEndpoint())) .tokenIntrospectionEndpointAuthenticationMethods(clientAuthenticationMethods()) - .codeChallengeMethod("plain") .codeChallengeMethod("S256") .build(); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/OAuth2AuthorizationServerMetadataTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/OAuth2AuthorizationServerMetadataTests.java index 46b6bc33..5ed79dc6 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/OAuth2AuthorizationServerMetadataTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/OAuth2AuthorizationServerMetadataTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -59,7 +59,6 @@ public class OAuth2AuthorizationServerMetadataTests { .tokenRevocationEndpointAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()) .tokenIntrospectionEndpoint("https://example.com/issuer1/oauth2/introspect") .tokenIntrospectionEndpointAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()) - .codeChallengeMethod("plain") .codeChallengeMethod("S256") .claim("a-claim", "a-value") .build(); @@ -76,7 +75,7 @@ public class OAuth2AuthorizationServerMetadataTests { assertThat(authorizationServerMetadata.getTokenRevocationEndpointAuthenticationMethods()).containsExactly(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()); assertThat(authorizationServerMetadata.getTokenIntrospectionEndpoint()).isEqualTo(url("https://example.com/issuer1/oauth2/introspect")); assertThat(authorizationServerMetadata.getTokenIntrospectionEndpointAuthenticationMethods()).containsExactly(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()); - assertThat(authorizationServerMetadata.getCodeChallengeMethods()).containsExactlyInAnyOrder("plain", "S256"); + assertThat(authorizationServerMetadata.getCodeChallengeMethods()).containsExactly("S256"); assertThat(authorizationServerMetadata.getClaimAsString("a-claim")).isEqualTo("a-value"); } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/http/converter/OAuth2AuthorizationServerMetadataHttpMessageConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/http/converter/OAuth2AuthorizationServerMetadataHttpMessageConverterTests.java index fa2332eb..6c01c952 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/http/converter/OAuth2AuthorizationServerMetadataHttpMessageConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/http/converter/OAuth2AuthorizationServerMetadataHttpMessageConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -103,7 +103,7 @@ public class OAuth2AuthorizationServerMetadataHttpMessageConverterTests { + " \"revocation_endpoint_auth_methods_supported\": [\"client_secret_basic\"],\n" + " \"introspection_endpoint\": \"https://example.com/issuer1/oauth2/introspect\",\n" + " \"introspection_endpoint_auth_methods_supported\": [\"client_secret_basic\"],\n" - + " \"code_challenge_methods_supported\": [\"plain\",\"S256\"],\n" + + " \"code_challenge_methods_supported\": [\"S256\"],\n" + " \"custom_claim\": \"value\",\n" + " \"custom_collection_claim\": [\"value1\", \"value2\"]\n" + "}\n"; @@ -125,7 +125,7 @@ public class OAuth2AuthorizationServerMetadataHttpMessageConverterTests { assertThat(authorizationServerMetadata.getTokenRevocationEndpointAuthenticationMethods()).containsExactly(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()); assertThat(authorizationServerMetadata.getTokenIntrospectionEndpoint()).isEqualTo(new URL("https://example.com/issuer1/oauth2/introspect")); assertThat(authorizationServerMetadata.getTokenIntrospectionEndpointAuthenticationMethods()).containsExactly(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()); - assertThat(authorizationServerMetadata.getCodeChallengeMethods()).containsExactlyInAnyOrder("plain", "S256"); + assertThat(authorizationServerMetadata.getCodeChallengeMethods()).containsExactly("S256"); assertThat(authorizationServerMetadata.getClaimAsString("custom_claim")).isEqualTo("value"); assertThat(authorizationServerMetadata.getClaimAsStringList("custom_collection_claim")).containsExactlyInAnyOrder("value1", "value2"); } @@ -172,7 +172,6 @@ public class OAuth2AuthorizationServerMetadataHttpMessageConverterTests { .tokenRevocationEndpointAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()) .tokenIntrospectionEndpoint("https://example.com/issuer1/oauth2/introspect") .tokenIntrospectionEndpointAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()) - .codeChallengeMethod("plain") .codeChallengeMethod("S256") .claim("custom_claim", "value") .claim("custom_collection_claim", Arrays.asList("value1", "value2")) @@ -194,7 +193,7 @@ public class OAuth2AuthorizationServerMetadataHttpMessageConverterTests { assertThat(authorizationServerMetadataResponse).contains("\"revocation_endpoint_auth_methods_supported\":[\"client_secret_basic\"]"); assertThat(authorizationServerMetadataResponse).contains("\"introspection_endpoint\":\"https://example.com/issuer1/oauth2/introspect\""); assertThat(authorizationServerMetadataResponse).contains("\"introspection_endpoint_auth_methods_supported\":[\"client_secret_basic\"]"); - assertThat(authorizationServerMetadataResponse).contains("\"code_challenge_methods_supported\":[\"plain\",\"S256\"]"); + assertThat(authorizationServerMetadataResponse).contains("\"code_challenge_methods_supported\":[\"S256\"]"); assertThat(authorizationServerMetadataResponse).contains("\"custom_claim\":\"value\""); assertThat(authorizationServerMetadataResponse).contains("\"custom_collection_claim\":[\"value1\",\"value2\"]"); } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java index 1ca820e0..caee93a0 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProviderTests.java @@ -54,9 +54,6 @@ import static org.mockito.Mockito.when; * @author Daniel Garnier-Moiroux */ public class ClientSecretAuthenticationProviderTests { - private static final String PLAIN_CODE_VERIFIER = "pkce-key"; - private static final String PLAIN_CODE_CHALLENGE = PLAIN_CODE_VERIFIER; - // See RFC 7636: Appendix B. Example for the S256 code_challenge_method // https://tools.ietf.org/html/rfc7636#appendix-B private static final String S256_CODE_VERIFIER = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"; @@ -231,12 +228,12 @@ public class ClientSecretAuthenticationProviderTests { .thenReturn(registeredClient); OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, createPkceAuthorizationParametersPlain()) + .authorization(registeredClient, createPkceAuthorizationParametersS256()) .build(); when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) .thenReturn(authorization); - Map parameters = createPkceTokenParameters(PLAIN_CODE_VERIFIER); + Map parameters = createPkceTokenParameters(S256_CODE_VERIFIER); parameters.put(OAuth2ParameterNames.CODE, "invalid-code"); OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken( @@ -258,7 +255,7 @@ public class ClientSecretAuthenticationProviderTests { .thenReturn(registeredClient); OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, createPkceAuthorizationParametersPlain()) + .authorization(registeredClient, createPkceAuthorizationParametersS256()) .build(); when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) .thenReturn(authorization); @@ -317,13 +314,6 @@ public class ClientSecretAuthenticationProviderTests { return parameters; } - private static Map createPkceAuthorizationParametersPlain() { - Map parameters = new HashMap<>(); - parameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "plain"); - parameters.put(PkceParameterNames.CODE_CHALLENGE, PLAIN_CODE_CHALLENGE); - return parameters; - } - private static Map createPkceAuthorizationParametersS256() { Map parameters = new HashMap<>(); parameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256"); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/PublicClientAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/PublicClientAuthenticationProviderTests.java index 7e55bda9..bb603b61 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/PublicClientAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/PublicClientAuthenticationProviderTests.java @@ -48,9 +48,6 @@ import static org.mockito.Mockito.when; * @author Daniel Garnier-Moiroux */ public class PublicClientAuthenticationProviderTests { - private static final String PLAIN_CODE_VERIFIER = "pkce-key"; - private static final String PLAIN_CODE_CHALLENGE = PLAIN_CODE_VERIFIER; - // See RFC 7636: Appendix B. Example for the S256 code_challenge_method // https://tools.ietf.org/html/rfc7636#appendix-B private static final String S256_CODE_VERIFIER = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"; @@ -131,12 +128,12 @@ public class PublicClientAuthenticationProviderTests { .thenReturn(registeredClient); OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, createPkceAuthorizationParametersPlain()) + .authorization(registeredClient, createPkceAuthorizationParametersS256()) .build(); when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) .thenReturn(authorization); - Map parameters = createPkceTokenParameters(PLAIN_CODE_VERIFIER); + Map parameters = createPkceTokenParameters(S256_CODE_VERIFIER); parameters.put(OAuth2ParameterNames.CODE, "invalid-code"); OAuth2ClientAuthenticationToken authentication = @@ -163,7 +160,7 @@ public class PublicClientAuthenticationProviderTests { when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) .thenReturn(authorization); - Map parameters = createPkceTokenParameters(PLAIN_CODE_VERIFIER); + Map parameters = createPkceTokenParameters(S256_CODE_VERIFIER); OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), ClientAuthenticationMethod.NONE, null, parameters); @@ -184,7 +181,7 @@ public class PublicClientAuthenticationProviderTests { .thenReturn(registeredClient); OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, createPkceAuthorizationParametersPlain()) + .authorization(registeredClient, createPkceAuthorizationParametersS256()) .build(); when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) .thenReturn(authorization); @@ -203,32 +200,6 @@ public class PublicClientAuthenticationProviderTests { }); } - @Test - public void authenticateWhenPlainMethodAndInvalidCodeVerifierThenThrowOAuth2AuthenticationException() { - RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build(); - when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))) - .thenReturn(registeredClient); - - OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, createPkceAuthorizationParametersPlain()) - .build(); - when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) - .thenReturn(authorization); - - Map parameters = createPkceTokenParameters("invalid-code-verifier"); - - OAuth2ClientAuthenticationToken authentication = - new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), ClientAuthenticationMethod.NONE, null, parameters); - - assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)) - .isInstanceOf(OAuth2AuthenticationException.class) - .extracting(ex -> ((OAuth2AuthenticationException) ex).getError()) - .satisfies(error -> { - assertThat(error.getErrorCode()).isEqualTo(OAuth2ErrorCodes.INVALID_GRANT); - assertThat(error.getDescription()).contains(PkceParameterNames.CODE_VERIFIER); - }); - } - @Test public void authenticateWhenS256MethodAndInvalidCodeVerifierThenThrowOAuth2AuthenticationException() { RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build(); @@ -255,58 +226,6 @@ public class PublicClientAuthenticationProviderTests { }); } - @Test - public void authenticateWhenPlainMethodAndValidCodeVerifierThenAuthenticated() { - RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build(); - when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))) - .thenReturn(registeredClient); - - OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, createPkceAuthorizationParametersPlain()) - .build(); - when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) - .thenReturn(authorization); - - Map parameters = createPkceTokenParameters(PLAIN_CODE_VERIFIER); - - OAuth2ClientAuthenticationToken authentication = - new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), ClientAuthenticationMethod.NONE, null, parameters); - - OAuth2ClientAuthenticationToken authenticationResult = - (OAuth2ClientAuthenticationToken) this.authenticationProvider.authenticate(authentication); - assertThat(authenticationResult.isAuthenticated()).isTrue(); - assertThat(authenticationResult.getPrincipal().toString()).isEqualTo(registeredClient.getClientId()); - assertThat(authenticationResult.getCredentials()).isNull(); - assertThat(authenticationResult.getRegisteredClient()).isEqualTo(registeredClient); - } - - @Test - public void authenticateWhenMissingMethodThenDefaultPlainMethodAndAuthenticated() { - RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build(); - when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))) - .thenReturn(registeredClient); - - Map authorizationRequestAdditionalParameters = createPkceAuthorizationParametersPlain(); - authorizationRequestAdditionalParameters.remove(PkceParameterNames.CODE_CHALLENGE_METHOD); - OAuth2Authorization authorization = TestOAuth2Authorizations - .authorization(registeredClient, authorizationRequestAdditionalParameters) - .build(); - when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) - .thenReturn(authorization); - - Map parameters = createPkceTokenParameters(PLAIN_CODE_VERIFIER); - - OAuth2ClientAuthenticationToken authentication = - new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), ClientAuthenticationMethod.NONE, null, parameters); - - OAuth2ClientAuthenticationToken authenticationResult = - (OAuth2ClientAuthenticationToken) this.authenticationProvider.authenticate(authentication); - assertThat(authenticationResult.isAuthenticated()).isTrue(); - assertThat(authenticationResult.getPrincipal().toString()).isEqualTo(registeredClient.getClientId()); - assertThat(authenticationResult.getCredentials()).isNull(); - assertThat(authenticationResult.getRegisteredClient()).isEqualTo(registeredClient); - } - @Test public void authenticateWhenS256MethodAndValidCodeVerifierThenAuthenticated() { RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient().build(); @@ -338,7 +257,7 @@ public class PublicClientAuthenticationProviderTests { when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))) .thenReturn(registeredClient); - Map authorizationRequestAdditionalParameters = createPkceAuthorizationParametersPlain(); + Map authorizationRequestAdditionalParameters = createPkceAuthorizationParametersS256(); // This should never happen: the Authorization endpoint should not allow it authorizationRequestAdditionalParameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "unsupported-challenge-method"); OAuth2Authorization authorization = TestOAuth2Authorizations @@ -347,7 +266,7 @@ public class PublicClientAuthenticationProviderTests { when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))) .thenReturn(authorization); - Map parameters = createPkceTokenParameters(PLAIN_CODE_VERIFIER); + Map parameters = createPkceTokenParameters(S256_CODE_VERIFIER); OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), ClientAuthenticationMethod.NONE, null, parameters); @@ -372,13 +291,6 @@ public class PublicClientAuthenticationProviderTests { return parameters; } - private static Map createPkceAuthorizationParametersPlain() { - Map parameters = new HashMap<>(); - parameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "plain"); - parameters.put(PkceParameterNames.CODE_CHALLENGE, PLAIN_CODE_CHALLENGE); - return parameters; - } - private static Map createPkceAuthorizationParametersS256() { Map parameters = new HashMap<>(); parameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256"); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index b34e9573..232d6e23 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -260,7 +260,7 @@ public class OAuth2AuthorizationEndpointFilterTests { OAuth2ErrorCodes.INVALID_REQUEST, request -> { request.addParameter(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256"); - request.addParameter(PkceParameterNames.CODE_CHALLENGE_METHOD, "plain"); + request.addParameter(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256"); }); } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java index 112f4447..64f85e20 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilterTests.java @@ -132,7 +132,7 @@ public class OAuth2AuthorizationServerMetadataEndpointFilterTests { assertThat(authorizationServerMetadataResponse).contains("\"revocation_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\",\"client_secret_jwt\",\"private_key_jwt\"]"); assertThat(authorizationServerMetadataResponse).contains("\"introspection_endpoint\":\"https://example.com/issuer1/oauth2/v1/introspect\""); assertThat(authorizationServerMetadataResponse).contains("\"introspection_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\",\"client_secret_jwt\",\"private_key_jwt\"]"); - assertThat(authorizationServerMetadataResponse).contains("\"code_challenge_methods_supported\":[\"plain\",\"S256\"]"); + assertThat(authorizationServerMetadataResponse).contains("\"code_challenge_methods_supported\":[\"S256\"]"); } @Test