From a3806328b576a859621245a6ca6fb4bd50a64bbc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 05:03:42 +0000 Subject: [PATCH 1/6] Initial plan From 17ca744ea711670c12fe581dfd58d215f21c0c6f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 05:11:33 +0000 Subject: [PATCH 2/6] Fix on_behalf_of token payload duplication issue in Spring Security 6.5+ This commit fixes the issue where the grant_type parameter was being duplicated in the on_behalf_of token request. The problem occurred when multiple converters were chained using addParametersConverter(), which uses MultiValueMap.addAll() that appends values to existing keys instead of replacing them. The fix reimplements createParameters() in AadJwtBearerGrantRequestEntityConverter to: 1. Use parameters.set() instead of parameters.add() to ensure single values 2. Directly create all parameters without calling the deprecated super.createParameters() 3. Follow the pattern used by Spring Security 6.4+ DefaultOAuth2TokenRequestParametersConverter This ensures that when additional converters are added via addParametersConverter(), the grant_type remains a single value instead of being converted into a list. Co-authored-by: Netyyyy <92105726+Netyyyy@users.noreply.github.com> --- ...dJwtBearerGrantRequestEntityConverter.java | 21 +++- ...earerGrantRequestEntityConverterTests.java | 97 +++++++++++++++++++ 2 files changed, 116 insertions(+), 2 deletions(-) diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java index 378b13cfc165..e95208490229 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java @@ -5,7 +5,13 @@ import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest; import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequestEntityConverter; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; +import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.util.CollectionUtils; +import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; +import org.springframework.util.StringUtils; /** * This is a special JWT Bearer flow implementation for Microsoft identify platform. @@ -18,8 +24,19 @@ public class AadJwtBearerGrantRequestEntityConverter extends JwtBearerGrantReque @Override protected MultiValueMap createParameters(JwtBearerGrantRequest jwtBearerGrantRequest) { - MultiValueMap parameters = super.createParameters(jwtBearerGrantRequest); - parameters.add("requested_token_use", "on_behalf_of"); + ClientRegistration clientRegistration = jwtBearerGrantRequest.getClientRegistration(); + MultiValueMap parameters = new LinkedMultiValueMap<>(); + parameters.set(OAuth2ParameterNames.GRANT_TYPE, jwtBearerGrantRequest.getGrantType().getValue()); + parameters.set(OAuth2ParameterNames.ASSERTION, jwtBearerGrantRequest.getJwt().getTokenValue()); + if (!CollectionUtils.isEmpty(clientRegistration.getScopes())) { + parameters.set(OAuth2ParameterNames.SCOPE, + StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), " ")); + } + if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())) { + parameters.set(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId()); + parameters.set(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret()); + } + parameters.set("requested_token_use", "on_behalf_of"); return parameters; } } diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java index ce771c846038..c1eb36706083 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java @@ -8,13 +8,18 @@ import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.oauth2.jose.jws.JwsAlgorithms; import org.springframework.security.oauth2.jwt.Jwt; +import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import java.time.Instant; +import java.util.List; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; class AadJwtBearerGrantRequestEntityConverterTests { @@ -43,4 +48,96 @@ void requestedTokenUseParameter() { assertTrue(parameters.containsKey("requested_token_use")); assertEquals("on_behalf_of", parameters.getFirst("requested_token_use")); } + + @SuppressWarnings("unchecked") + @Test + void grantTypeIsNotDuplicatedWhenParametersConverterIsAdded() { + ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test") + .clientId("test") + .clientSecret("test-secret") + .authorizationGrantType(AuthorizationGrantType.JWT_BEARER) + .tokenUri("http://localhost/token") + .build(); + Jwt jwt = Jwt.withTokenValue("jwt-token-value") + .header("alg", JwsAlgorithms.RS256) + .claim("sub", "test") + .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) + .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .build(); + JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); + + // Create converter and add a parameters converter that returns additional parameters + AadJwtBearerGrantRequestEntityConverter converter = new AadJwtBearerGrantRequestEntityConverter(); + converter.addParametersConverter((grantRequest) -> { + MultiValueMap additionalParams = new LinkedMultiValueMap<>(); + additionalParams.set("custom_param", "custom_value"); + return additionalParams; + }); + + RequestEntity> entity = + (RequestEntity>) converter.convert(request); + MultiValueMap parameters = entity.getBody(); + + // Verify that grant_type exists + assertTrue(parameters.containsKey(OAuth2ParameterNames.GRANT_TYPE)); + + // Verify that grant_type is a single value, not a list + List grantTypeValues = parameters.get(OAuth2ParameterNames.GRANT_TYPE); + assertNotNull(grantTypeValues); + assertEquals(1, grantTypeValues.size(), + "Grant type should be a single value, not duplicated: " + grantTypeValues); + assertEquals("urn:ietf:params:oauth:grant-type:jwt-bearer", grantTypeValues.get(0)); + + // Verify the custom parameter was added + assertTrue(parameters.containsKey("custom_param")); + assertEquals("custom_value", parameters.getFirst("custom_param")); + + // Verify requested_token_use is present + assertTrue(parameters.containsKey("requested_token_use")); + assertEquals("on_behalf_of", parameters.getFirst("requested_token_use")); + } + + @SuppressWarnings("unchecked") + @Test + void allRequiredParametersArePresent() { + ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test") + .clientId("test") + .clientSecret("test-secret") + .authorizationGrantType(AuthorizationGrantType.JWT_BEARER) + .tokenUri("http://localhost/token") + .scope("openid", "profile") + .build(); + Jwt jwt = Jwt.withTokenValue("jwt-token-value") + .header("alg", JwsAlgorithms.RS256) + .claim("sub", "test") + .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) + .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .build(); + JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); + AadJwtBearerGrantRequestEntityConverter converter = + new AadJwtBearerGrantRequestEntityConverter(); + RequestEntity> entity = + (RequestEntity>) converter.convert(request); + MultiValueMap parameters = entity.getBody(); + + // Verify all required parameters + assertTrue(parameters.containsKey(OAuth2ParameterNames.GRANT_TYPE)); + assertEquals("urn:ietf:params:oauth:grant-type:jwt-bearer", + parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE)); + + assertTrue(parameters.containsKey(OAuth2ParameterNames.ASSERTION)); + assertEquals("jwt-token-value", parameters.getFirst(OAuth2ParameterNames.ASSERTION)); + + assertTrue(parameters.containsKey(OAuth2ParameterNames.SCOPE)); + assertEquals("openid profile", parameters.getFirst(OAuth2ParameterNames.SCOPE)); + + assertTrue(parameters.containsKey(OAuth2ParameterNames.CLIENT_ID)); + assertEquals("test", parameters.getFirst(OAuth2ParameterNames.CLIENT_ID)); + + assertTrue(parameters.containsKey(OAuth2ParameterNames.CLIENT_SECRET)); + assertEquals("test-secret", parameters.getFirst(OAuth2ParameterNames.CLIENT_SECRET)); + + assertTrue(parameters.containsKey("requested_token_use")); + assertEquals("on_behalf_of", parameters.getFirst("requested_token_use")); + } } From deb0b66a9ed30b38280ea56fcf594c92d2a7d4ff Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 05:13:40 +0000 Subject: [PATCH 3/6] Improve client authentication method handling Updated the implementation to properly handle both CLIENT_SECRET_BASIC and CLIENT_SECRET_POST authentication methods, following Spring Security 6.4+ DefaultOAuth2TokenRequestParametersConverter pattern: - CLIENT_SECRET_BASIC: credentials sent in Authorization header (NOT in parameters) - CLIENT_SECRET_POST: credentials sent in POST body parameters - Other methods: only client_id in parameters Added test to verify CLIENT_SECRET_BASIC authentication method works correctly. Co-authored-by: Netyyyy <92105726+Netyyyy@users.noreply.github.com> --- ...dJwtBearerGrantRequestEntityConverter.java | 6 ++- ...earerGrantRequestEntityConverterTests.java | 39 +++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java index e95208490229..2140204716fc 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java @@ -32,8 +32,12 @@ protected MultiValueMap createParameters(JwtBearerGrantRequest j parameters.set(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), " ")); } - if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())) { + // Add client_id for all authentication methods except CLIENT_SECRET_BASIC (where it's in the header) + if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())) { parameters.set(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId()); + } + // Add client_secret only for CLIENT_SECRET_POST (where credentials are in the POST body) + if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())) { parameters.set(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret()); } parameters.set("requested_token_use", "on_behalf_of"); diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java index c1eb36706083..80e5462651d4 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java @@ -8,6 +8,7 @@ import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.oauth2.jose.jws.JwsAlgorithms; import org.springframework.security.oauth2.jwt.Jwt; @@ -103,6 +104,7 @@ void allRequiredParametersArePresent() { ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test") .clientId("test") .clientSecret("test-secret") + .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST) .authorizationGrantType(AuthorizationGrantType.JWT_BEARER) .tokenUri("http://localhost/token") .scope("openid", "profile") @@ -131,6 +133,7 @@ void allRequiredParametersArePresent() { assertTrue(parameters.containsKey(OAuth2ParameterNames.SCOPE)); assertEquals("openid profile", parameters.getFirst(OAuth2ParameterNames.SCOPE)); + // For CLIENT_SECRET_POST, both client_id and client_secret should be in parameters assertTrue(parameters.containsKey(OAuth2ParameterNames.CLIENT_ID)); assertEquals("test", parameters.getFirst(OAuth2ParameterNames.CLIENT_ID)); @@ -140,4 +143,40 @@ void allRequiredParametersArePresent() { assertTrue(parameters.containsKey("requested_token_use")); assertEquals("on_behalf_of", parameters.getFirst("requested_token_use")); } + + @SuppressWarnings("unchecked") + @Test + void clientSecretBasicAuthenticationMethod() { + ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test") + .clientId("test") + .clientSecret("test-secret") + .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) + .authorizationGrantType(AuthorizationGrantType.JWT_BEARER) + .tokenUri("http://localhost/token") + .scope("openid", "profile") + .build(); + Jwt jwt = Jwt.withTokenValue("jwt-token-value") + .header("alg", JwsAlgorithms.RS256) + .claim("sub", "test") + .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) + .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .build(); + JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); + AadJwtBearerGrantRequestEntityConverter converter = + new AadJwtBearerGrantRequestEntityConverter(); + RequestEntity> entity = + (RequestEntity>) converter.convert(request); + MultiValueMap parameters = entity.getBody(); + + // For CLIENT_SECRET_BASIC, credentials should NOT be in the parameters (they go in the Authorization header) + assertFalse(parameters.containsKey(OAuth2ParameterNames.CLIENT_ID), + "CLIENT_ID should not be in parameters for CLIENT_SECRET_BASIC"); + assertFalse(parameters.containsKey(OAuth2ParameterNames.CLIENT_SECRET), + "CLIENT_SECRET should not be in parameters for CLIENT_SECRET_BASIC"); + + // But other parameters should still be present + assertTrue(parameters.containsKey(OAuth2ParameterNames.GRANT_TYPE)); + assertTrue(parameters.containsKey(OAuth2ParameterNames.ASSERTION)); + assertTrue(parameters.containsKey("requested_token_use")); + } } From 7bd1817c392bb24e61e8ff178f73a107a5695348 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 05:15:32 +0000 Subject: [PATCH 4/6] Simplify Instant usage in tests Simplified test code by using Instant.now() directly instead of unnecessary conversions. Co-authored-by: Netyyyy <92105726+Netyyyy@users.noreply.github.com> --- ...AadJwtBearerGrantRequestEntityConverterTests.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java index 80e5462651d4..bc6c0751d6d3 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java @@ -37,8 +37,8 @@ void requestedTokenUseParameter() { Jwt jwt = Jwt.withTokenValue("jwt-token-value") .header("alg", JwsAlgorithms.RS256) .claim("sub", "test") - .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) - .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .issuedAt(Instant.now()) + .expiresAt(Instant.now().plusSeconds(60)) .build(); JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); AadJwtBearerGrantRequestEntityConverter converter = @@ -112,8 +112,8 @@ void allRequiredParametersArePresent() { Jwt jwt = Jwt.withTokenValue("jwt-token-value") .header("alg", JwsAlgorithms.RS256) .claim("sub", "test") - .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) - .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .issuedAt(Instant.now()) + .expiresAt(Instant.now().plusSeconds(60)) .build(); JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); AadJwtBearerGrantRequestEntityConverter converter = @@ -158,8 +158,8 @@ void clientSecretBasicAuthenticationMethod() { Jwt jwt = Jwt.withTokenValue("jwt-token-value") .header("alg", JwsAlgorithms.RS256) .claim("sub", "test") - .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) - .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .issuedAt(Instant.now()) + .expiresAt(Instant.now().plusSeconds(60)) .build(); JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); AadJwtBearerGrantRequestEntityConverter converter = From e12612fb71501662fd3bbba18f3523f1a5d7eaed Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 05:16:40 +0000 Subject: [PATCH 5/6] Fix remaining Instant usage and improve comments - Fixed Instant usage in noGrantTypeDuplicationWithMultipleConverters test - Improved comments to clarify client authentication method handling Co-authored-by: Netyyyy <92105726+Netyyyy@users.noreply.github.com> --- .../security/AadJwtBearerGrantRequestEntityConverter.java | 6 ++++-- .../AadJwtBearerGrantRequestEntityConverterTests.java | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java index 2140204716fc..3ebdae1dec62 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java @@ -32,11 +32,13 @@ protected MultiValueMap createParameters(JwtBearerGrantRequest j parameters.set(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), " ")); } - // Add client_id for all authentication methods except CLIENT_SECRET_BASIC (where it's in the header) + // For CLIENT_SECRET_BASIC: credentials go in Authorization header, not in request parameters + // For CLIENT_SECRET_POST and other methods: client_id goes in request parameters if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())) { parameters.set(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId()); } - // Add client_secret only for CLIENT_SECRET_POST (where credentials are in the POST body) + // For CLIENT_SECRET_POST: client_secret goes in request parameters + // For CLIENT_SECRET_BASIC and other methods: client_secret is handled separately (e.g., in Authorization header) if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())) { parameters.set(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret()); } diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java index bc6c0751d6d3..ed61127d8ef1 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java @@ -62,8 +62,8 @@ void grantTypeIsNotDuplicatedWhenParametersConverterIsAdded() { Jwt jwt = Jwt.withTokenValue("jwt-token-value") .header("alg", JwsAlgorithms.RS256) .claim("sub", "test") - .issuedAt(Instant.ofEpochMilli(Instant.now().toEpochMilli())) - .expiresAt(Instant.ofEpochMilli(Instant.now().plusSeconds(60).toEpochMilli())) + .issuedAt(Instant.now()) + .expiresAt(Instant.now().plusSeconds(60)) .build(); JwtBearerGrantRequest request = new JwtBearerGrantRequest(clientRegistration, jwt); From 276ed22408ccb6e0f8da1a55461d48927af5f643 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 9 Jan 2026 05:17:48 +0000 Subject: [PATCH 6/6] Fix typo and improve test assertion message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fixed typo: 'identify' → 'identity' - Improved test assertion message to show count instead of full list Co-authored-by: Netyyyy <92105726+Netyyyy@users.noreply.github.com> --- .../aad/security/AadJwtBearerGrantRequestEntityConverter.java | 2 +- .../security/AadJwtBearerGrantRequestEntityConverterTests.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java index 3ebdae1dec62..7870cba0b78b 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverter.java @@ -14,7 +14,7 @@ import org.springframework.util.StringUtils; /** - * This is a special JWT Bearer flow implementation for Microsoft identify platform. + * This is a special JWT Bearer flow implementation for Microsoft identity platform. * * @since 4.3.0 * @see OAuth 2.0 On-Behalf-Of diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java index ed61127d8ef1..d11e6ed70ab4 100644 --- a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java +++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java @@ -86,7 +86,7 @@ void grantTypeIsNotDuplicatedWhenParametersConverterIsAdded() { List grantTypeValues = parameters.get(OAuth2ParameterNames.GRANT_TYPE); assertNotNull(grantTypeValues); assertEquals(1, grantTypeValues.size(), - "Grant type should be a single value, not duplicated: " + grantTypeValues); + "Grant type should be a single value, not duplicated. Found: " + grantTypeValues.size() + " values"); assertEquals("urn:ietf:params:oauth:grant-type:jwt-bearer", grantTypeValues.get(0)); // Verify the custom parameter was added