From 0ff0f38b8f63ab4af8feaa651ba7fdbca7c66d36 Mon Sep 17 00:00:00 2001
From: topiam <support@topiam.cn>
Date: Sun, 18 Dec 2022 14:51:13 +0800
Subject: [PATCH 1/3] Fix:  #1012

---
 ...tionCodeRequestAuthenticationProvider.java | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
index 1c3a16663..972e1eaca 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
@@ -124,17 +124,26 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					authorizationCodeRequestAuthentication, registeredClient);
 		}
 
+		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
+				.authorizationUri(authorizationCodeRequestAuthentication.getAuthorizationUri())
+				.clientId(registeredClient.getClientId())
+				.redirectUri(authorizationCodeRequestAuthentication.getRedirectUri())
+				.scopes(authorizationCodeRequestAuthentication.getScopes())
+				.state(authorizationCodeRequestAuthentication.getState())
+				.additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters())
+				.build();
+
 		// code_challenge (REQUIRED for public clients) - RFC 7636 (PKCE)
 		String codeChallenge = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE);
 		if (StringUtils.hasText(codeChallenge)) {
 			String codeChallengeMethod = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE_METHOD);
 			if (!StringUtils.hasText(codeChallengeMethod) || !"S256".equals(codeChallengeMethod)) {
 				throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI,
-						authorizationCodeRequestAuthentication, registeredClient, null);
+						authorizationCodeRequestAuthentication, registeredClient, authorizationRequest);
 			}
 		} else if (registeredClient.getClientSettings().isRequireProofKey()) {
 			throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE, PKCE_ERROR_URI,
-					authorizationCodeRequestAuthentication, registeredClient, null);
+					authorizationCodeRequestAuthentication, registeredClient, authorizationRequest);
 		}
 
 		if (this.logger.isTraceEnabled()) {
@@ -154,15 +163,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			return authorizationCodeRequestAuthentication;
 		}
 
-		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
-				.authorizationUri(authorizationCodeRequestAuthentication.getAuthorizationUri())
-				.clientId(registeredClient.getClientId())
-				.redirectUri(authorizationCodeRequestAuthentication.getRedirectUri())
-				.scopes(authorizationCodeRequestAuthentication.getScopes())
-				.state(authorizationCodeRequestAuthentication.getState())
-				.additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters())
-				.build();
-
 		OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(
 				registeredClient.getId(), principal.getName());
 

From f6c2045d5a15c9b6a613aa4bdda980b56d644d33 Mon Sep 17 00:00:00 2001
From: smallbun <2689170096@qq.com>
Date: Thu, 12 Jan 2023 08:54:19 +0800
Subject: [PATCH 2/3] Fix:  #1012

---
 ...tionCodeRequestAuthenticationProvider.java | 29 ++++++++++---------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
index 972e1eaca..f88a7029a 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
@@ -124,26 +124,17 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					authorizationCodeRequestAuthentication, registeredClient);
 		}
 
-		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
-				.authorizationUri(authorizationCodeRequestAuthentication.getAuthorizationUri())
-				.clientId(registeredClient.getClientId())
-				.redirectUri(authorizationCodeRequestAuthentication.getRedirectUri())
-				.scopes(authorizationCodeRequestAuthentication.getScopes())
-				.state(authorizationCodeRequestAuthentication.getState())
-				.additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters())
-				.build();
-
 		// code_challenge (REQUIRED for public clients) - RFC 7636 (PKCE)
 		String codeChallenge = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE);
 		if (StringUtils.hasText(codeChallenge)) {
 			String codeChallengeMethod = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE_METHOD);
 			if (!StringUtils.hasText(codeChallengeMethod) || !"S256".equals(codeChallengeMethod)) {
 				throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI,
-						authorizationCodeRequestAuthentication, registeredClient, authorizationRequest);
+						authorizationCodeRequestAuthentication, registeredClient, null);
 			}
 		} else if (registeredClient.getClientSettings().isRequireProofKey()) {
 			throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE, PKCE_ERROR_URI,
-					authorizationCodeRequestAuthentication, registeredClient, authorizationRequest);
+					authorizationCodeRequestAuthentication, registeredClient, null);
 		}
 
 		if (this.logger.isTraceEnabled()) {
@@ -163,6 +154,15 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			return authorizationCodeRequestAuthentication;
 		}
 
+		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
+				.authorizationUri(authorizationCodeRequestAuthentication.getAuthorizationUri())
+				.clientId(registeredClient.getClientId())
+				.redirectUri(authorizationCodeRequestAuthentication.getRedirectUri())
+				.scopes(authorizationCodeRequestAuthentication.getScopes())
+				.state(authorizationCodeRequestAuthentication.getState())
+				.additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters())
+				.build();
+
 		OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(
 				registeredClient.getId(), principal.getName());
 
@@ -333,7 +333,7 @@ private static void throwError(OAuth2Error error, String parameterName,
 			OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication,
 			RegisteredClient registeredClient, OAuth2AuthorizationRequest authorizationRequest) {
 
-		String redirectUri = resolveRedirectUri(authorizationRequest, registeredClient);
+		String redirectUri = resolveRedirectUri(authorizationCodeRequestAuthentication,authorizationRequest, registeredClient);
 		if (error.getErrorCode().equals(OAuth2ErrorCodes.INVALID_REQUEST) &&
 				(parameterName.equals(OAuth2ParameterNames.CLIENT_ID) ||
 						parameterName.equals(OAuth2ParameterNames.STATE))) {
@@ -350,7 +350,10 @@ private static void throwError(OAuth2Error error, String parameterName,
 		throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, authorizationCodeRequestAuthenticationResult);
 	}
 
-	private static String resolveRedirectUri(OAuth2AuthorizationRequest authorizationRequest, RegisteredClient registeredClient) {
+	private static String resolveRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication,OAuth2AuthorizationRequest authorizationRequest, RegisteredClient registeredClient) {
+		if (authorizationCodeRequestAuthentication!=null && StringUtils.hasText(authorizationCodeRequestAuthentication.getRedirectUri())){
+			return authorizationCodeRequestAuthentication.getRedirectUri();
+		}
 		if (authorizationRequest != null && StringUtils.hasText(authorizationRequest.getRedirectUri())) {
 			return authorizationRequest.getRedirectUri();
 		}

From 2c3c93ae6cbe7de79d3761d46c9ff608e2c60229 Mon Sep 17 00:00:00 2001
From: smallbun <2689170096@qq.com>
Date: Tue, 17 Jan 2023 10:11:30 +0800
Subject: [PATCH 3/3] Fix:  #1012

---
 ...OAuth2AuthorizationCodeRequestAuthenticationProvider.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
index f88a7029a..c93fa1576 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
@@ -333,7 +333,7 @@ private static void throwError(OAuth2Error error, String parameterName,
 			OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication,
 			RegisteredClient registeredClient, OAuth2AuthorizationRequest authorizationRequest) {
 
-		String redirectUri = resolveRedirectUri(authorizationCodeRequestAuthentication,authorizationRequest, registeredClient);
+		String redirectUri = resolveRedirectUri(authorizationCodeRequestAuthentication, authorizationRequest, registeredClient);
 		if (error.getErrorCode().equals(OAuth2ErrorCodes.INVALID_REQUEST) &&
 				(parameterName.equals(OAuth2ParameterNames.CLIENT_ID) ||
 						parameterName.equals(OAuth2ParameterNames.STATE))) {
@@ -350,7 +350,8 @@ private static void throwError(OAuth2Error error, String parameterName,
 		throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, authorizationCodeRequestAuthenticationResult);
 	}
 
-	private static String resolveRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication,OAuth2AuthorizationRequest authorizationRequest, RegisteredClient registeredClient) {
+	private static String resolveRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication,
+			OAuth2AuthorizationRequest authorizationRequest, RegisteredClient registeredClient) {
 		if (authorizationCodeRequestAuthentication!=null && StringUtils.hasText(authorizationCodeRequestAuthentication.getRedirectUri())){
 			return authorizationCodeRequestAuthentication.getRedirectUri();
 		}