From 1e6c34f4a3ab8c7a5e8df0b1236202b9b90691c2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 12 Jan 2026 02:50:39 +0000
Subject: [PATCH 1/3] Initial plan


From e90990ad102c4cd9e93b6d2fa26230c97a213359 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 12 Jan 2026 03:02:05 +0000
Subject: [PATCH 2/3] Fix OAuth2 JWT Bearer grant request parameter duplication
 in on-behalf-of flow

Co-authored-by: Netyyyy <92105726+Netyyyy@users.noreply.github.com>
---
 .../spring-cloud-azure-autoconfigure/CHANGELOG.md     |  2 ++
 .../AadJwtBearerGrantRequestParametersConverter.java  | 11 ++++++-----
 .../AadJwtBearerGrantRequestEntityConverterTests.java |  6 ++++++
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/CHANGELOG.md b/sdk/spring/spring-cloud-azure-autoconfigure/CHANGELOG.md
index 24ab5d428261..aa281c5af28a 100644
--- a/sdk/spring/spring-cloud-azure-autoconfigure/CHANGELOG.md
+++ b/sdk/spring/spring-cloud-azure-autoconfigure/CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- Fixed OAuth2 JWT Bearer grant request parameter duplication issue where `grant_type` was being duplicated when using the on-behalf-of flow, causing `AADSTS70003: unsupported_grant_type` error. [#47657](https://github.com/Azure/azure-sdk-for-java/issues/47657)
+
 ### Other Changes
 
 ## 7.0.0-beta.1 (2025-12-23)
diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestParametersConverter.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestParametersConverter.java
index 234e2c8f2a02..fc201915ddc4 100644
--- a/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestParametersConverter.java
+++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/main/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestParametersConverter.java
@@ -4,12 +4,16 @@
 package com.azure.spring.cloud.autoconfigure.implementation.aad.security;
 
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.security.oauth2.client.endpoint.DefaultOAuth2TokenRequestParametersConverter;
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
+import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
 /**
  * This is a special JWT Bearer flow implementation for Microsoft identify platform.
+ * This converter only adds the Azure-specific parameter "requested_token_use" with value "on_behalf_of".
+ * The standard OAuth2 parameters (grant_type, assertion, client_id, etc.) are added by Spring Security's
+ * DefaultOAuth2TokenRequestParametersConverter, which is automatically included when using
+ * RestClientJwtBearerTokenResponseClient.
  *
  * @since 7.0.0
  * @see <a href="https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow">OAuth 2.0 On-Behalf-Of</a>
@@ -17,12 +21,9 @@
 public class AadJwtBearerGrantRequestParametersConverter
     implements Converter<JwtBearerGrantRequest, MultiValueMap<String, String>> {
 
-    private final DefaultOAuth2TokenRequestParametersConverter<JwtBearerGrantRequest> delegate =
-        new DefaultOAuth2TokenRequestParametersConverter<>();
-
     @Override
     public MultiValueMap<String, String> convert(JwtBearerGrantRequest jwtBearerGrantRequest) {
-        MultiValueMap<String, String> parameters = delegate.convert(jwtBearerGrantRequest);
+        MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
         parameters.add("requested_token_use", "on_behalf_of");
         return parameters;
     }
diff --git a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java
index bdeb4fe16707..53d5ed97b57f 100644
--- a/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java
+++ b/sdk/spring/spring-cloud-azure-autoconfigure/src/test/java/com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadJwtBearerGrantRequestEntityConverterTests.java
@@ -40,5 +40,11 @@ void requestedTokenUseParameter() {
         Assertions.assertNotNull(parameters);
         assertTrue(parameters.containsKey("requested_token_use"));
         assertEquals("on_behalf_of", parameters.getFirst("requested_token_use"));
+        // Verify that the converter does not add grant_type or other standard OAuth2 parameters
+        // to avoid duplication when composed with DefaultOAuth2TokenRequestParametersConverter
+        Assertions.assertFalse(parameters.containsKey("grant_type"), 
+            "Converter should not add grant_type to avoid duplication");
+        assertEquals(1, parameters.size(), 
+            "Converter should only add the Azure-specific parameter");
     }
 }

From 51f9465c3ef104afd456c2b53cf291fc814ccac6 Mon Sep 17 00:00:00 2001
From: muyao <muyaofeng@126.com>
Date: Tue, 13 Jan 2026 10:04:09 +0800
Subject: [PATCH 3/3] Fix cspell

---
 .vscode/cspell.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.vscode/cspell.json b/.vscode/cspell.json
index bd85726cce1c..1ce3f3ab3379 100644
--- a/.vscode/cspell.json
+++ b/.vscode/cspell.json
@@ -1245,6 +1245,7 @@
       "words": [
         "aadb",
         "AADB",
+        "AADSTS",
         "amqps",
         "Authoritys",
         "autoconfiguation",