Skip to content

[BUG] On behalf of token payload is wrong in Spring boot 4.x / spring framework 7.x beta #47657

New issue
New issue
Closed
#47677
Closed
[BUG] On behalf of token payload is wrong in Spring boot 4.x / spring framework 7.x beta#47657
#47677
Assignees
Netyyyyrujchecopilot-swe-agent
Labels
ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuescustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@ctNb

Description

@ctNb
ctNb
opened on Jan 8, 2026

Describe the bug

When using the on_behalf_of grant type with Azure AD authentication, the AbstractRestClientOAuth2AccessTokenResponseClient incorrectly merges parameters from multiple converters (DefaultOAuth2TokenRequestParametersConverter and AadJwtBearerGrantRequestParameterConverter). This causes parameter values to be converted into lists instead of single values, resulting in duplicate grant type values being sent to the authorization server.

Exception or Stack Trace

[unsupported_grant_type] AADSTS70003: The app requested an unsupported grant type 'urn:ietf:params:oauth:grant-type:jwt-bearer,urn:ietf:params:oauth:grant-type:jwt-bearer'.

To Reproduce

  1. Configure a Spring Boot application with Azure AD OAuth2 authentication
  2. Set up an authorized client using the on_behalf_of grant type
  3. Attempt to request an access token using the on-behalf-of flow
  4. The request fails with the AADSTS70003 error due to malformed grant type parameter

Code Snippet

The issue occurs in the addParametersConverter() method in AbstractRestClientOAuth2AccessTokenResponseClient.java. When composing converters, the method uses MultiValueMap.addAll() which appends values to existing keys rather than replacing them:

public final void addParametersConverter(Converter<T, MultiValueMap<String, String>> parametersConverter) {
 // ... existing parameters from DefaultOAuth2TokenRequestParametersConverter
 MultiValueMap<String, String> parametersToAdd = parametersConverter.convert(authorizationGrantRequest);
 if (parametersToAdd != null) {
  parameters.addAll(parametersToAdd);  // This creates duplicate list values
 }
 return parameters;
}

Expected behavior

Parameters should be properly merged such that when multiple converters provide the same parameter key, the final value should be a single string value, not a list. The grant type should appear once as urn:ietf:params:oauth:grant-type:jwt-bearer, not duplicated.

Setup (please complete the following information):

  • OS: macOS
  • IDE: IntelliJ IDEA 2025.2.6
  • Library/Libraries: com.azure.spring:spring-cloud-azure-starter:7.0.0-beta.1
  • Java version: 25
  • Frameworks: Spring Boot 4.0.1, Spring Security with OAuth2
  • Build Tool: Maven

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuescustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Spring Cloud Azure

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions