Merge branch '6.2.x'

spring-projects · Apr 4, 2024 · d269176 · d269176
2 parents 61e93ee + 01f299f
commit d269176
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 16 deletions.
diff --git a/...ramework/security/oauth2/server/resource/introspection/SpringOpaqueTokenIntrospector.java b/...ramework/security/oauth2/server/resource/introspection/SpringOpaqueTokenIntrospector.java
@@ -22,6 +22,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -183,16 +184,17 @@ private Map<String, Object> adaptToNimbusResponse(ResponseEntity<Map<String, Obj
 	}
 
 	private OAuth2TokenIntrospectionClaimAccessor convertClaimsSet(Map<String, Object> claims) {
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.AUD, (k, v) -> {
+		Map<String, Object> converted = new LinkedHashMap<>(claims);
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.AUD, (k, v) -> {
 			if (v instanceof String) {
 				return Collections.singletonList(v);
 			}
 			return v;
 		});
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, (k, v) -> v.toString());
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.EXP,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, (k, v) -> v.toString());
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.EXP,
 				(k, v) -> Instant.ofEpochSecond(((Number) v).longValue()));
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.IAT,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.IAT,
 				(k, v) -> Instant.ofEpochSecond(((Number) v).longValue()));
 		// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
 		// issuer fields.
@@ -212,12 +214,12 @@ private OAuth2TokenIntrospectionClaimAccessor convertClaimsSet(Map<String, Objec
 		// may be awkward to debug, we do not want to manipulate this value. Previous
 		// versions of Spring Security
 		// would *only* allow valid URLs, which is not what we wish to achieve here.
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.ISS, (k, v) -> v.toString());
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.NBF,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.ISS, (k, v) -> v.toString());
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.NBF,
 				(k, v) -> Instant.ofEpochSecond(((Number) v).longValue()));
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.SCOPE,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.SCOPE,
 				(k, v) -> (v instanceof String s) ? new ArrayListFromString(s.split(" ")) : v);
-		return () -> claims;
+		return () -> converted;
 	}
 
 	/**

diff --git a/.../security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector.java b/.../security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector.java
@@ -22,6 +22,7 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -143,16 +144,17 @@ private Mono<Map<String, Object>> adaptToNimbusResponse(ClientResponse responseE
 	}
 
 	private OAuth2TokenIntrospectionClaimAccessor convertClaimsSet(Map<String, Object> claims) {
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.AUD, (k, v) -> {
+		Map<String, Object> converted = new LinkedHashMap<>(claims);
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.AUD, (k, v) -> {
 			if (v instanceof String) {
 				return Collections.singletonList(v);
 			}
 			return v;
 		});
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, (k, v) -> v.toString());
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.EXP,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, (k, v) -> v.toString());
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.EXP,
 				(k, v) -> Instant.ofEpochSecond(((Number) v).longValue()));
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.IAT,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.IAT,
 				(k, v) -> Instant.ofEpochSecond(((Number) v).longValue()));
 		// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
 		// issuer fields.
@@ -172,12 +174,12 @@ private OAuth2TokenIntrospectionClaimAccessor convertClaimsSet(Map<String, Objec
 		// may be awkward to debug, we do not want to manipulate this value. Previous
 		// versions of Spring Security
 		// would *only* allow valid URLs, which is not what we wish to achieve here.
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.ISS, (k, v) -> v.toString());
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.NBF,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.ISS, (k, v) -> v.toString());
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.NBF,
 				(k, v) -> Instant.ofEpochSecond(((Number) v).longValue()));
-		claims.computeIfPresent(OAuth2TokenIntrospectionClaimNames.SCOPE,
+		converted.computeIfPresent(OAuth2TokenIntrospectionClaimNames.SCOPE,
 				(k, v) -> (v instanceof String s) ? new ArrayListFromString(s.split(" ")) : v);
-		return () -> claims;
+		return () -> converted;
 	}
 
 	private OAuth2IntrospectionException onError(Throwable ex) {