From 9970ab890021d7f4f1a3b9592d948dc2a195adcd Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Fri, 21 May 2021 15:03:10 -0500
Subject: [PATCH] Add ability to disable URL encoding of client credentials

Closes gh-10018

Note: This commit can be reverted in 5.6 once it has been backported.
---
 ...horizationGrantRequestEntityConverter.java | 17 +++++++++++++-
 ...activeOAuth2AccessTokenResponseClient.java | 22 +++++++++++++++++--
 ...2AuthorizationGrantRequestEntityUtils.java |  8 ++++---
 3 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java
index 7da5d530445..7e6b7461437 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java
@@ -42,10 +42,12 @@
 abstract class AbstractOAuth2AuthorizationGrantRequestEntityConverter<T extends AbstractOAuth2AuthorizationGrantRequest>
 		implements Converter<T, RequestEntity<?>> {
 
+	private boolean encodeClientCredentials = true;
+
 	// @formatter:off
 	private Converter<T, HttpHeaders> headersConverter =
 			(authorizationGrantRequest) -> OAuth2AuthorizationGrantRequestEntityUtils
-					.getTokenRequestHeaders(authorizationGrantRequest.getClientRegistration());
+					.getTokenRequestHeaders(authorizationGrantRequest.getClientRegistration(), this.encodeClientCredentials);
 	// @formatter:on
 
 	private Converter<T, MultiValueMap<String, String>> parametersConverter = this::createParameters;
@@ -170,4 +172,17 @@ public final void addParametersConverter(Converter<T, MultiValueMap<String, Stri
 		};
 	}
 
+	/**
+	 * Sets the flag that controls whether client credentials are encoded using the
+	 * application/x-www-form-urlencoded algorithm in the headers converter.
+	 * @deprecated Support for non-compliant providers will be removed in Spring Security
+	 * 5.6
+	 * @param encodeClientCredentials {@code false} to disable encoding client credentials
+	 * (default is true)
+	 */
+	@Deprecated
+	public void setEncodeClientCredentials(boolean encodeClientCredentials) {
+		this.encodeClientCredentials = encodeClientCredentials;
+	}
+
 }
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java
index 68b0818ace3..606a5aaa29d 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java
@@ -63,6 +63,8 @@
 public abstract class AbstractWebClientReactiveOAuth2AccessTokenResponseClient<T extends AbstractOAuth2AuthorizationGrantRequest>
 		implements ReactiveOAuth2AccessTokenResponseClient<T> {
 
+	private boolean encodeClientCredentials = true;
+
 	private WebClient webClient = WebClient.builder().build();
 
 	AbstractWebClientReactiveOAuth2AccessTokenResponseClient() {
@@ -100,8 +102,11 @@ private void populateTokenRequestHeaders(T grantRequest, HttpHeaders headers) {
 		headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
 		if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
 				|| ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
-			String clientId = encodeClientCredential(clientRegistration.getClientId());
-			String clientSecret = encodeClientCredential(clientRegistration.getClientSecret());
+			String clientId = this.encodeClientCredentials ? encodeClientCredential(clientRegistration.getClientId())
+					: clientRegistration.getClientId();
+			String clientSecret = this.encodeClientCredentials
+					? encodeClientCredential(clientRegistration.getClientSecret())
+					: clientRegistration.getClientSecret();
 			headers.setBasicAuth(clientId, clientSecret);
 		}
 	}
@@ -230,4 +235,17 @@ public void setWebClient(WebClient webClient) {
 		this.webClient = webClient;
 	}
 
+	/**
+	 * Sets the flag that controls whether client credentials are encoded using the
+	 * application/x-www-form-urlencoded algorithm while populating token request headers.
+	 * @deprecated Support for non-compliant providers will be removed in Spring Security
+	 * 5.6
+	 * @param encodeClientCredentials {@code false} to disable encoding client credentials
+	 * (default is true)
+	 */
+	@Deprecated
+	public void setEncodeClientCredentials(boolean encodeClientCredentials) {
+		this.encodeClientCredentials = encodeClientCredentials;
+	}
+
 }
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java
index 91f4a597bad..1ad6fc4a33e 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java
@@ -46,13 +46,15 @@ final class OAuth2AuthorizationGrantRequestEntityUtils {
 	private OAuth2AuthorizationGrantRequestEntityUtils() {
 	}
 
-	static HttpHeaders getTokenRequestHeaders(ClientRegistration clientRegistration) {
+	static HttpHeaders getTokenRequestHeaders(ClientRegistration clientRegistration, boolean encodeClientCredentials) {
 		HttpHeaders headers = new HttpHeaders();
 		headers.addAll(DEFAULT_TOKEN_REQUEST_HEADERS);
 		if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())
 				|| ClientAuthenticationMethod.BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
-			String clientId = encodeClientCredential(clientRegistration.getClientId());
-			String clientSecret = encodeClientCredential(clientRegistration.getClientSecret());
+			String clientId = encodeClientCredentials ? encodeClientCredential(clientRegistration.getClientId())
+					: clientRegistration.getClientId();
+			String clientSecret = encodeClientCredentials ? encodeClientCredential(clientRegistration.getClientSecret())
+					: clientRegistration.getClientSecret();
 			headers.setBasicAuth(clientId, clientSecret);
 		}
 		return headers;