Issue 1246 adding debug log entry

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProvider.java

@@ -114,6 +114,9 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		String clientSecret = clientAuthentication.getCredentials().toString();
 		if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) {
+			if(this.logger.isDebugEnabled()){
+				this.logger.debug("Invalid client_secret");
+			}
 			throwInvalidClient(OAuth2ParameterNames.CLIENT_SECRET);
 		}
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.java

@@ -96,6 +96,7 @@ private boolean authenticate(OAuth2ClientAuthenticationToken clientAuthenticatio
 				.get(PkceParameterNames.CODE_CHALLENGE);
 		if (!StringUtils.hasText(codeChallenge)) {
 			if (registeredClient.getClientSettings().isRequireProofKey()) {
+				logDebugMessage("Missing code_challenge");
 				throwInvalidGrant(PkceParameterNames.CODE_CHALLENGE);
 			} else {
 				if (this.logger.isTraceEnabled()) {
@@ -129,8 +130,9 @@ private static boolean authorizationCodeGrant(Map<String, Object> parameters) {
 				parameters.get(OAuth2ParameterNames.CODE) != null;
 	}
 
-	private static boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {
+	private boolean codeVerifierValid(String codeVerifier, String codeChallenge, String codeChallengeMethod) {
 		if (!StringUtils.hasText(codeVerifier)) {
+			logDebugMessage("Missing code_verifier");
 			return false;
 		} else if ("S256".equals(codeChallengeMethod)) {
 			try {
@@ -156,4 +158,9 @@ private static void throwInvalidGrant(String parameterName) {
 		throw new OAuth2AuthenticationException(error);
 	}
 
+	private void logDebugMessage(String logMessage){
+		if(this.logger.isDebugEnabled()){
+			this.logger.debug(logMessage);
+		}
+	}
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java

@@ -18,6 +18,8 @@
 import java.util.Set;
 import java.util.function.Consumer;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
@@ -48,17 +50,18 @@
 public final class OAuth2AuthorizationCodeRequestAuthenticationValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
 	private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1";
 
+	private final Log logger = LogFactory.getLog(getClass());
 	/**
 	 * The default validator for {@link OAuth2AuthorizationCodeRequestAuthenticationToken#getScopes()}.
 	 */
-	public static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_SCOPE_VALIDATOR =
-			OAuth2AuthorizationCodeRequestAuthenticationValidator::validateScope;
+	public final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_SCOPE_VALIDATOR =
+			this::validateScope;
 
 	/**
 	 * The default validator for {@link OAuth2AuthorizationCodeRequestAuthenticationToken#getRedirectUri()}.
 	 */
-	public static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_REDIRECT_URI_VALIDATOR =
-			OAuth2AuthorizationCodeRequestAuthenticationValidator::validateRedirectUri;
+	public final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_REDIRECT_URI_VALIDATOR =
+			this::validateRedirectUri;
 
 	private final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
 			DEFAULT_REDIRECT_URI_VALIDATOR.andThen(DEFAULT_SCOPE_VALIDATOR);
@@ -68,20 +71,21 @@ public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authentic
 		this.authenticationValidator.accept(authenticationContext);
 	}
 
-	private static void validateScope(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
+	private void validateScope(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
 		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
 				authenticationContext.getAuthentication();
 		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
 
 		Set<String> requestedScopes = authorizationCodeRequestAuthentication.getScopes();
 		Set<String> allowedScopes = registeredClient.getScopes();
 		if (!requestedScopes.isEmpty() && !allowedScopes.containsAll(requestedScopes)) {
+			logDebugMessage("Invalid scope");
 			throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE,
 					authorizationCodeRequestAuthentication, registeredClient);
 		}
 	}
 
-	private static void validateRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
+	private void validateRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
 		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
 				authenticationContext.getAuthentication();
 		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
@@ -124,6 +128,7 @@ private static void validateRedirectUri(OAuth2AuthorizationCodeRequestAuthentica
 					}
 				}
 				if (!validRedirectUri) {
+					logDebugMessage("Invalid redirect_uri");
 					throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI,
 							authorizationCodeRequestAuthentication, registeredClient);
 				}
@@ -196,4 +201,10 @@ private static void throwError(OAuth2Error error, String parameterName,
 		throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, authorizationCodeRequestAuthenticationResult);
 	}
 
+	private void logDebugMessage(String logMessage){
+		if(this.logger.isDebugEnabled()){
+			this.logger.debug(logMessage);
+		}
+	}
+
 }