Return all parameters for non authorization-code flow requests

[sarahwalther]

Expected Behavior
Returned tokens, such as OAuth2AuthorizationCodeAuthenticationToken, should include the same data in the additional parameters field as OAuth2ClientAuthenticationToken.

Current Behavior
Currently, for non authorization-code flow requests, additional parameters get removed and an empty map is returned

Context
In the failure case, we would like to log all non-user identifying information, such as grant_type and scopes to make de-bugging easier. Currently, as a workaround, we are fetching this data from our implementation of the OAuth2AuthorizationService. This gives us what we want, but is some additional work and could slow the process down.

[sjohnr]

Related gh-159

[jgrandja]

@sarahwalther

OAuth2AuthorizationCodeAuthenticationToken should include the same data in the additional parameters field as OAuth2ClientAuthenticationToken

OAuth2AuthorizationCodeAuthenticationToken is an authorization grant token, whereas, OAuth2ClientAuthenticationToken is a token representing a client authentication request. The 2 flows and related parameters are different so the currently populated attributes are correct.

In the failure case, we would like to log all non-user identifying information

If you're looking to log additional information when a client authentication fails, then you have access to all the parameters via the HttpServletRequest that is supplied to OAuth2ClientAuthenticationFilter.setAuthenticationFailureHandler(). See the reference documentation on how to configure a custom AuthenticationFailureHandler.

Does this work for you?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[spring-projects-issues]

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.