Fix inconsistent state when authorization consent is denied

jgrandja · jgrandja · commit 4fbe06d1218b · 2022-01-26T10:23:06.000-05:00
Closes gh-595
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 the original author or authors.
+ * Copyright 2020-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -577,8 +577,6 @@ private static OAuth2AuthorizationCodeRequestAuthenticationToken.Builder from(OA
 				.scopes(authorizationCodeRequestAuthentication.getScopes())
 				.state(authorizationCodeRequestAuthentication.getState())
 				.additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters())
-				.consentRequired(authorizationCodeRequestAuthentication.isConsentRequired())
-				.consent(authorizationCodeRequestAuthentication.isConsent())
 				.authorizationCode(authorizationCodeRequestAuthentication.getAuthorizationCode());
 	}
 
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProviderTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 the original author or authors.
+ * Copyright 2020-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -1013,6 +1013,12 @@ private static void assertAuthenticationException(OAuth2AuthorizationCodeRequest
 		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
 				authenticationException.getAuthorizationCodeRequestAuthentication();
 		assertThat(authorizationCodeRequestAuthentication.getRedirectUri()).isEqualTo(redirectUri);
+
+		// gh-595
+		if (OAuth2ErrorCodes.ACCESS_DENIED.equals(errorCode)) {
+			assertThat(authorizationCodeRequestAuthentication.isConsent()).isFalse();
+			assertThat(authorizationCodeRequestAuthentication.isConsentRequired()).isFalse();
+		}
 	}
 
 	private static OAuth2AuthorizationCodeRequestAuthenticationToken.Builder authorizationCodeRequestAuthentication(

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2020-2021 the original author or authors.`
	`2`	`+ * Copyright 2020-2022 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -577,8 +577,6 @@ private static OAuth2AuthorizationCodeRequestAuthenticationToken.Builder from(OA`
`577`	`577`	`.scopes(authorizationCodeRequestAuthentication.getScopes())`
`578`	`578`	`.state(authorizationCodeRequestAuthentication.getState())`
`579`	`579`	`.additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters())`
`580`		`- .consentRequired(authorizationCodeRequestAuthentication.isConsentRequired())`
`581`		`- .consent(authorizationCodeRequestAuthentication.isConsent())`
`582`	`580`	`.authorizationCode(authorizationCodeRequestAuthentication.getAuthorizationCode());`
`583`	`581`	`}`
`584`	`582`