revert auth scopes changes

adamleantech · adamleantech · commit 50b77ffd1e70 · 2023-10-20T13:01:14.000+01:00
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.server.authorization.authentication;
 
+import java.util.Set;
 import java.util.function.Consumer;
 
 import org.apache.commons.logging.Log;
@@ -104,12 +105,14 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Validated token request parameters");
 		}
 
+		Set<String> authorizedScopes = Set.copyOf(clientCredentialsAuthentication.getScopes());
+
 		// @formatter:off
 		OAuth2TokenContext tokenContext = DefaultOAuth2TokenContext.builder()
 				.registeredClient(registeredClient)
 				.principal(clientPrincipal)
 				.authorizationServerContext(AuthorizationServerContextHolder.getContext())
-				.authorizedScopes(clientCredentialsAuthentication.getScopes())
+				.authorizedScopes(authorizedScopes)
 				.tokenType(OAuth2TokenType.ACCESS_TOKEN)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.authorizationGrant(clientCredentialsAuthentication)
@@ -135,7 +138,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.withRegisteredClient(registeredClient)
 				.principalName(clientPrincipal.getName())
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
-				.authorizedScopes(tokenContext.getAuthorizedScopes());
+				.authorizedScopes(authorizedScopes);
 		// @formatter:on
 		if (generatedAccessToken instanceof ClaimAccessor) {
 			authorizationBuilder.token(accessToken, (metadata) ->
