spring-security-oauth2-client:5.5.1 class OAuth2AuthorizationGrantRequestEntityUtils why UrlEncoder is added for client-secret #27440
Description
Why in spring-security-oauth2-client:5.5.1 Class->OAuth2AuthorizationGrantRequestEntityUtils
clientId and ClientSecret is encode using (URLEncoder.encode) before Base64 encoding of clientId and secret .
We were using 5.4.4 version of spring-security-oauth2-client previously to fetch token using class OAuth2AuthorizationGrantRequestEntityUtils from external server .
After updating to spring-security-oauth2-client:5.5.1 spring had added logic to (URLEncoder.encode) client-secret which effect client-secret if they having special character and server not able to validate Authorization key we are sending to token endpoint.
String clientId = **encodeClientCredential**(clientRegistration.getClientId());
String clientSecret = **encodeClientCredential**(clientRegistration.getClientSecret());
Here we also have concern does this mentioned in OIDC spec to do (URLEncoder.encode) before doing Base64 encode.
As this will cause problem for all client having client-secret with special character in them, as Authorization server will not able to validate them.