Closes spring-projectsgh-11440

docs/modules/ROOT/pages/servlet/oauth2/client/client-authentication.adoc

@@ -92,7 +92,9 @@ val tokenResponseClient = DefaultAuthorizationCodeTokenResponseClient()
 tokenResponseClient.setRequestEntityConverter(requestEntityConverter)
 ----
 ======
-
+[NOTE]
+If you're using the `client-authentication-method: client_secret_basic` and you need to skip URL encoding,
+create a new `DefaultOAuth2TokenRequestHeadersConverter` and set it in the Request Entity Converter above.
 
 === Authenticate using `client_secret_jwt`
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java

@@ -42,11 +42,7 @@
 abstract class AbstractOAuth2AuthorizationGrantRequestEntityConverter<T extends AbstractOAuth2AuthorizationGrantRequest>
 		implements Converter<T, RequestEntity<?>> {
 
-	// @formatter:off
-	private Converter<T, HttpHeaders> headersConverter =
-			(authorizationGrantRequest) -> OAuth2AuthorizationGrantRequestEntityUtils
-					.getTokenRequestHeaders(authorizationGrantRequest.getClientRegistration());
-	// @formatter:on
+	private Converter<T, HttpHeaders> headersConverter = new DefaultOAuth2TokenRequestHeadersConverter<>();
 
 	private Converter<T, MultiValueMap<String, String>> parametersConverter = this::createParameters;
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultOAuth2TokenRequestHeadersConverter.java

@@ -0,0 +1,62 @@
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.http.RequestEntity;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+
+/**
+ * Default Converter used by the {@link OAuth2AuthorizationCodeGrantRequestEntityConverter}
+ * that convert from an implementation of an {@link AbstractOAuth2AuthorizationGrantRequest}
+ * to a {@link RequestEntity} representation of an OAuth 2.0 Access Token Request for the
+ * specific Authorization Grant.
+ *
+ * @since 6.3
+ * @see OAuth2ClientCredentialsGrantRequestEntityConverter
+ * @author Peter Eastham
+ * @author Joe Grandja
+ */
+public class DefaultOAuth2TokenRequestHeadersConverter<T extends AbstractOAuth2AuthorizationGrantRequest>
+		implements Converter<T, HttpHeaders> {
+
+	private static final HttpHeaders DEFAULT_TOKEN_HEADERS = getDefaultTokenRequestHeaders();
+	private boolean encodeClientCredentials = true;
+
+	private static HttpHeaders getDefaultTokenRequestHeaders() {
+		HttpHeaders headers = new HttpHeaders();
+		headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));
+		final MediaType contentType = MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
+		headers.setContentType(contentType);
+		return headers;
+	}
+
+
+	@Override
+	public HttpHeaders convert(T source) {
+		HttpHeaders headers = new HttpHeaders();
+		headers.addAll(DEFAULT_TOKEN_HEADERS);
+		ClientRegistration clientRegistration = source.getClientRegistration();
+		if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
+			String clientId = encodeClientCredentials ?
+					encodeClientCredential(clientRegistration.getClientId()) : clientRegistration.getClientId();
+			String clientSecret = encodeClientCredentials ?
+					encodeClientCredential(clientRegistration.getClientSecret()) : clientRegistration.getClientSecret();
+			headers.setBasicAuth(clientId, clientSecret);
+		}
+		return headers;
+	}
+
+	private static String encodeClientCredential(String clientCredential) {
+        return URLEncoder.encode(clientCredential, StandardCharsets.UTF_8);
+    }
+
+	public void setEncodeClientCredentials(boolean encodeClientCredentials) {
+		this.encodeClientCredentials = encodeClientCredentials;
+	}
+}

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverterTests.java

@@ -110,9 +110,11 @@ public void convertWhenParametersConverterSetThenCalled() {
 	@SuppressWarnings("unchecked")
 	@Test
 	public void convertWhenGrantRequestValidThenConverts() {
-		ClientRegistration clientRegistration = TestClientRegistrations.password().build();
+		ClientRegistration clientRegistration = TestClientRegistrations.password().clientId("clientId").clientSecret("clientSecret=").build();
 		OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, "user1",
 				"password");
+		Converter<OAuth2PasswordGrantRequest, HttpHeaders> headersConverter = new DefaultOAuth2TokenRequestHeadersConverter<>();
+		this.converter.setHeadersConverter(headersConverter);
 		RequestEntity<?> requestEntity = this.converter.convert(passwordGrantRequest);
 		assertThat(requestEntity.getMethod()).isEqualTo(HttpMethod.POST);
 		assertThat(requestEntity.getUrl().toASCIIString())
@@ -121,7 +123,7 @@ public void convertWhenGrantRequestValidThenConverts() {
 		assertThat(headers.getAccept()).contains(MediaType.APPLICATION_JSON_UTF8);
 		assertThat(headers.getContentType())
 			.isEqualTo(MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8"));
-		assertThat(headers.getFirst(HttpHeaders.AUTHORIZATION)).startsWith("Basic ");
+		assertThat(headers.getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50SWQ6Y2xpZW50U2VjcmV0JTNE");
 		MultiValueMap<String, String> formParameters = (MultiValueMap<String, String>) requestEntity.getBody();
 		assertThat(formParameters.getFirst(OAuth2ParameterNames.GRANT_TYPE))
 			.isEqualTo(AuthorizationGrantType.PASSWORD.getValue());
@@ -130,4 +132,29 @@ public void convertWhenGrantRequestValidThenConverts() {
 		assertThat(formParameters.getFirst(OAuth2ParameterNames.SCOPE)).contains(clientRegistration.getScopes());
 	}
 
+	@SuppressWarnings("unchecked")
+	@Test
+	public void convertWhenGrantRequestValidThenConvertsWithoutUrlEncoding() {
+		ClientRegistration clientRegistration = TestClientRegistrations.password().clientId("clientId").clientSecret("clientSecret=").build();
+		OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, "user1",
+				"password=");
+		var headersConverter = new DefaultOAuth2TokenRequestHeadersConverter<OAuth2PasswordGrantRequest>();
+		headersConverter.setEncodeClientCredentials(false);
+		this.converter.setHeadersConverter(headersConverter);
+		RequestEntity<?> requestEntity = this.converter.convert(passwordGrantRequest);
+		assertThat(requestEntity.getMethod()).isEqualTo(HttpMethod.POST);
+		assertThat(requestEntity.getUrl().toASCIIString())
+				.isEqualTo(clientRegistration.getProviderDetails().getTokenUri());
+		HttpHeaders headers = requestEntity.getHeaders();
+		assertThat(headers.getAccept()).contains(MediaType.APPLICATION_JSON_UTF8);
+		assertThat(headers.getContentType())
+				.isEqualTo(MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8"));
+		assertThat(headers.getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50SWQ6Y2xpZW50U2VjcmV0PQ==");
+		MultiValueMap<String, String> formParameters = (MultiValueMap<String, String>) requestEntity.getBody();
+		assertThat(formParameters.getFirst(OAuth2ParameterNames.GRANT_TYPE))
+				.isEqualTo(AuthorizationGrantType.PASSWORD.getValue());
+		assertThat(formParameters.getFirst(OAuth2ParameterNames.USERNAME)).isEqualTo("user1");
+		assertThat(formParameters.getFirst(OAuth2ParameterNames.PASSWORD)).isEqualTo("password=");
+		assertThat(formParameters.getFirst(OAuth2ParameterNames.SCOPE)).contains(clientRegistration.getScopes());
+	}
 }