According to section 2.1 of RFC 8707 - Resource Indicators for OAuth 2.0 multiple resource values should be sent as the example below:
GET /as/authorization.oauth2?response_type=code
&client_id=s6BhdRkqt3
&state=tNwzQ87pC6llebpmac_IDeeq-mCR2wLDYljHUZUAWuI
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
&scope=calendar%20contacts
&resource=https%3A%2F%2Fcal.example.com%2F
&resource=https%3A%2F%2Fcontacts.example.com%2F HTTP/1.1
Host: authorization-server.example.com
The OAuth2AuthorizationCodeRequestAuthenticationConverter.convert method only handles single value parameters:
Map<String, Object> additionalParameters = new HashMap<>();
parameters.forEach((key, value) -> {
if (!key.equals(OAuth2ParameterNames.RESPONSE_TYPE) &&
!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
!key.equals(OAuth2ParameterNames.REDIRECT_URI) &&
!key.equals(OAuth2ParameterNames.SCOPE) &&
!key.equals(OAuth2ParameterNames.STATE)) {
additionalParameters.put(key, value.get(0));
}
This leads to that only the first resource parameter value is saved in the resulting OAuth2AuthorizationCodeRequestAuthenticationToken.
According to section 2.1 of RFC 8707 - Resource Indicators for OAuth 2.0 multiple resource values should be sent as the example below:
The
OAuth2AuthorizationCodeRequestAuthenticationConverter.convertmethod only handles single value parameters:This leads to that only the first resource parameter value is saved in the resulting
OAuth2AuthorizationCodeRequestAuthenticationToken.