Redirect-URI mit encoded Parametern führt zu "invalid request"

[rpasys]

Ein nicht eingeloggter Benutzer ruft die folgende URL auf:
http://localhost:8080/bestand/rest/v1/einspruenge/eckw/werbesperren?ort=Erlangen&strasse=Unter+den+Palmen+3&vorname=Maximilian&context=kundenwelt&nachname=Mustermann&land=DE&plz=91056

Der Redirect zum IDP erzeugt folgende URL:
http://localhost:8080/idp/api/auth?response_type=code&client_id=ecade&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fbestand%2Frest%2Fv1%2Feinspruenge%2Feckw%2Fwerbesperren%3Fort%3DErlangen%26strasse%3DUnter%2Bden%2BPalmen%2B3%26vorname%3DMaximilian%26context%3Dkundenwelt%26nachname%3DMustermann%26land%3DDE%26plz%3D91056

Hier werden wohl "zuviel" Parameter zerlegt, auch die von der redirect_uri - siehe AuthorizationRequest#parse:
params = {HashMap@35247} size = 13
0 = {HashMap$Node@35255} "strasse" -> "Unter den Palmen 3"
1 = {HashMap$Node@35256} "j_password" -> "ediTi0n01"
2 = {HashMap$Node@35257} "vorname" -> "Maximilian"
3 = {HashMap$Node@35258} "response_type" -> "code"
4 = {HashMap$Node@35259} "client_id" -> "ecade"
5 = {HashMap$Node@35260} "btnAnmelden" -> "Anmelden"
6 = {HashMap$Node@35261} "formlogin" -> "ja"
7 = {HashMap$Node@35262} "context" -> "kundenwelt"
8 = {HashMap$Node@35263} "nachname" -> "Mustermann"
9 = {HashMap$Node@35264} "land" -> "DE"
10 = {HashMap$Node@35265} "redirect_uri" -> "http://localhost:8080/bestand/rest/v1/einspruenge/eckw/werbesperren?ort"
11 = {HashMap$Node@35266} "j_username" -> "ecmanager"
12 = {HashMap$Node@35267} "plz" -> "91056"

Im weiteren Verlauf wird die Redirect-URI dann mit Leerzeichen erzeugt:
http://localhost:8080/bestand/rest/v1/einspruenge/eckw/werbesperren?ort=Erlangen&strasse=Unter den Palmen 3&vorname=Maximilian&context=kundenwelt&nachname=Mustermann&land=DE&plz=91056

[dstraub]

23:04:17,267 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21) started in 3465ms - Started 279 of 314 services (57 services are lazy, passive or on-demand) 23:04:28,969 INFO [org.jboss.as.repository] (management-handler-thread - 1) JBAS014900: Content added at location /Users/ds/Work/oauth/oauth-test/target/jboss-eap-6.4/standalone/data/content/6c/de31392f65a9d2bc18bdf24fb3d74dd18039df/content 23:04:28,973 INFO [org.jboss.as.server.deployment] (MSC service thread 1-9) JBAS015876: Starting deployment of "sample.war" (runtime-name: "sample.war") 23:04:29,237 INFO [de.adorsys.oauth.client.valve.OAuthAuthenticator] (ServerService Thread Pool -- 5) OAuthAuthenticator initialized authEndpoint=http://localhost:8280/oauth/api/auth tokenEndpoint=http://localhost:8280/oauth/api/token clientId=sample userInfoEndpoint=http://localhost:8280/oauth/api/userinfo 23:04:29,266 INFO [org.jboss.as.server] (management-handler-thread - 1) JBAS015859: Deployed "sample.war" (runtime-name : "sample.war") 23:04:30,465 DEBUG [de.adorsys.oauth.client.valve.OAuthAuthenticator] (http-/127.0.0.1:8280-1) Request http://localhost:8280/sample/hello?ort=Erlangen&strasse=Unter%2Bden%2BPalmen%2B3&vorname=Maximilian&context=kundenwelt&nachname=Mustermann&land=DE&plz=91056 23:04:30,481 DEBUG [de.adorsys.oauth.client.protocol.OAuthProtocol] (http-/127.0.0.1:8280-1) redirect to http://localhost:8280/oauth/api/auth?response_type=code&client_id=sample&redirect_uri=http%3A%2F%2Flocalhost%3A8280%2Fsample%2Fhello%3Fort%3DErlangen%26strasse%3DUnter%252Bden%252BPalmen%252B3%26vorname%3DMaximilian%26context%3Dkundenwelt%26nachname%3DMustermann%26land%3DDE%26plz%3D91056 23:04:30,594 DEBUG [de.adorsys.oauth.authdispatcher.OAuthAuthenticationDispatcher] (http-/127.0.0.1:8280-2) no authentificator found for /oauth/api/auth 23:04:31,083 DEBUG [de.adorsys.oauth.authdispatcher.matcher.StatelessFormAuthenticator] (http-/127.0.0.1:8280-2) Authenticating username 'wilduser' 23:04:31,109 INFO [de.adorsys.oauth.server.AuthResource] (http-/127.0.0.1:8280-2) token lifetime 15 23:04:31,261 DEBUG [de.adorsys.oauth.server.AuthResource] (http-/127.0.0.1:8280-2) {"sub":"wilduser","name":"wilduser","groups":["admin","user","oauth"]} 23:04:31,262 DEBUG [de.adorsys.oauth.server.AuthResource] (http-/127.0.0.1:8280-2) impliesCodeFlow "6GsJBgCgceyTccZVAMnicOH25XSvihtuiDRCn93DsKY" 23:04:31,264 DEBUG [de.adorsys.oauth.server.AuthResource] (http-/127.0.0.1:8280-2) location http://localhost:8280/sample/hello?ort=Erlangen&strasse=Unter+den+Palmen+3&vorname=Maximilian&context=kundenwelt&nachname=Mustermann&land=DE&plz=91056&code=6GsJBgCgceyTccZVAMnicOH25XSvihtuiDRCn93DsKY 23:04:31,265 DEBUG [de.adorsys.oauth.authdispatcher.OAuthAuthenticationDispatcher] (http-/127.0.0.1:8280-2) use FormAuthAuthenticatorMatcher, principal = GenericPrincipal[wilduser(admin,oauth,user,)] 23:04:31,287 DEBUG [de.adorsys.oauth.authdispatcher.OAuthAuthenticationDispatcher] (http-/127.0.0.1:8280-3) no authentificator found for /oauth/api/token 23:04:31,288 INFO [de.adorsys.oauth.server.TokenResource] (http-/127.0.0.1:8280-3) token lifetime 15 23:04:31,304 DEBUG [de.adorsys.oauth.server.TokenResource] (http-/127.0.0.1:8280-3) tokenRequest com.nimbusds.oauth2.sdk.TokenRequest@374e64c9 23:04:31,329 DEBUG [de.adorsys.oauth.server.TokenResource] (http-/127.0.0.1:8280-3) accessToken {"access_token":"W24Q5_frUGJkaou3n-H986iA4xG5bD42LHLj_x777gU","token_type":"Bearer","expires_in":15} 23:04:31,331 DEBUG [de.adorsys.oauth.authdispatcher.OAuthAuthenticationDispatcher] (http-/127.0.0.1:8280-3) use BasicAuthAuthenticatorMatcher, principal = null 23:04:31,636 DEBUG [de.adorsys.oauth.client.valve.OAuthAuthenticator] (http-/127.0.0.1:8280-4) Request http://localhost:8280/sample/hello 23:04:31,638 DEBUG [de.adorsys.oauth.client.valve.OAuthAuthenticator] (http-/127.0.0.1:8280-4) authenticate with accessToken W24Q5_frUGJkaou3n-H986iA4xG5bD42LHLj_x777gU 23:04:31,640 DEBUG [de.adorsys.oauth.client.protocol.UserInfoResolver] (http-/127.0.0.1:8280-4) load userinfo from http://localhost:8280/oauth/api/userinfo?id=W24Q5_frUGJkaou3n-H986iA4xG5bD42LHLj_x777gU 23:04:31,674 DEBUG [de.adorsys.oauth.authdispatcher.OAuthAuthenticationDispatcher] (http-/127.0.0.1:8280-5) no authentificator found for /oauth/api/userinfo 23:04:31,680 DEBUG [de.adorsys.oauth.server.UserInfoResource] (http-/127.0.0.1:8280-5) userInfo {"access_token":"W24Q5_frUGJkaou3n-H986iA4xG5bD42LHLj_x777gU","token_type":"Bearer"} 23:04:31,701 DEBUG [de.adorsys.oauth.client.protocol.UserInfoResolver] (http-/127.0.0.1:8280-4) read userinfo uou3W6gwHagBgOwU0GCZm67mSC43R8aeYLNcn8DtVpM= CACHE_MISS 23:04:31,710 DEBUG [de.adorsys.oauth.client.OAuthLoginModule] (http-/127.0.0.1:8280-4) login wilduser:uou3W6gwHagBgOwU0GCZm67mSC43R8aeYLNcn8DtVpM= 23:04:31,716 INFO [de.adorsys.oauth.client.OAuthLoginModule] (http-/127.0.0.1:8280-4) UserInfo: wilduser ["admin","user","oauth"]

nicht nachvollziehbar mit Unit-Test TestAuthCodeFlow.testAuthCodeWithQueryParams
Annahme: Problem vlt. im eca-Stack, bitte dort analysieren