I like to have a go at this one if that's possible.

Describe the bug

I get a error when access /oauth2/token with client_id.

To Reproduce

1. I get code from /oauth2/authorize endpoint redirect url paramters. The code is Iz5jWzV00fcxhIAomMff_COjDsU8o_ifiLrdZK9U4wY%3D
2. And I use decode code and post to /oauth2/token with client_id, I get a error:

{
    "error": "invalid_client"
}

3. I remove this paramter, it work.

Debug the code:

When I post with client_id, the getPrincipal() is String

When I post without client_id, the the getPrincipal() is OAuth2ClientAuthenticationToken and isAuthenticated is false.

Expect havior

Please see RFC-6749 section-4.1.3.

REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.

The request header has Client Certificate. If the client post with client_id, the authorization server should ignore it or validate it, Instead of just throwing an error.

Describe the bug

I get a error when access /oauth2/token with client_id.

To Reproduce

1. I get code from /oauth2/authorize endpoint redirect url paramters. The code is Iz5jWzV00fcxhIAomMff_COjDsU8o_ifiLrdZK9U4wY%3D

2. And I use decode code and post to `/oauth2/token` with `client_id`, I get a error:

{
    "error": "invalid_client"
}

1. I remove this paramter, it work.

Debug the code:

When I post with client_id, the getPrincipal() is String

When I post without client_id, the the getPrincipal() is OAuth2ClientAuthenticationToken and isAuthenticated is false.

Expect havior

Please see RFC-6749 section-4.1.3.

REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.

The request header has Client Certificate. If the client post with client_id, the authorization server should ignore it or validate it, Instead of just throwing an error.

Don't carry parameters clientId Inside the header，ohhhhhhhh

@lizhongyue248 How are you testing the token request? Are you using a specific oauth2 client library or doing it manually, eg. curl?

FYI, the oauth2-integration sample works, which uses Spring Security 5.x client.

If you are testing manually, eg. curl, then you are likely not creating a valid token request. You really should be using an oauth2 client library instead.

@louiemondot Thanks for the offer on looking into this. Let's hold off for now until we figure out if this is an issue or not.

@jgrandja Hi, I test api by curl, the oauth2-integration sample works, but my client is not a Spring Security application.

Most of the time we need to adapt other oauth2 clients, so it is necessary to have the authorization server decode Base64
in request. or let me custom codeGenerator

Instead of letting the client decode.

And this:

The request header has Client Certificate. If the client post with client_id, the authorization server should ignore it or validate it, Instead of just throwing an error.

@lizhongyue248

my client is not a Spring Security application

You can use any oauth2 client library - you do not need to use Spring Security oauth2 client.

The authorization server should work with any oauth2 client library.

Regarding your comment

The request header has Client Certificate

Mutual TLS client authentication has not been implemented as of yet so this won't work with current version. Only HTTP Basic is implemented.

I'm going to close this as the authorization server is implemented to spec and will (should) work with any oauth2 client library (as long as it is implemented to spec as well).