Describe the bug
When using the on_behalf_of grant type with Azure AD authentication, the AbstractRestClientOAuth2AccessTokenResponseClient incorrectly merges parameters from multiple converters (DefaultOAuth2TokenRequestParametersConverter and AadJwtBearerGrantRequestParameterConverter). This causes parameter values to be converted into lists instead of single values, resulting in duplicate grant type values being sent to the authorization server.
Exception or Stack Trace
[unsupported_grant_type] AADSTS70003: The app requested an unsupported grant type 'urn:ietf:params:oauth:grant-type:jwt-bearer,urn:ietf:params:oauth:grant-type:jwt-bearer'.
To Reproduce
- Configure a Spring Boot application with Azure AD OAuth2 authentication
- Set up an authorized client using the
on_behalf_of grant type
- Attempt to request an access token using the on-behalf-of flow
- The request fails with the AADSTS70003 error due to malformed grant type parameter
Code Snippet
The issue occurs in the addParametersConverter() method in AbstractRestClientOAuth2AccessTokenResponseClient.java. When composing converters, the method uses MultiValueMap.addAll() which appends values to existing keys rather than replacing them:
public final void addParametersConverter(Converter<T, MultiValueMap<String, String>> parametersConverter) {
// ... existing parameters from DefaultOAuth2TokenRequestParametersConverter
MultiValueMap<String, String> parametersToAdd = parametersConverter.convert(authorizationGrantRequest);
if (parametersToAdd != null) {
parameters.addAll(parametersToAdd); // This creates duplicate list values
}
return parameters;
}Expected behavior
Parameters should be properly merged such that when multiple converters provide the same parameter key, the final value should be a single string value, not a list. The grant type should appear once as urn:ietf:params:oauth:grant-type:jwt-bearer, not duplicated.
Setup (please complete the following information):
- OS: macOS
- IDE: IntelliJ IDEA 2025.2.6
- Library/Libraries:
com.azure.spring:spring-cloud-azure-starter:7.0.0-beta.1
- Java version: 25
- Frameworks: Spring Boot 4.0.1, Spring Security with OAuth2
- Build Tool: Maven
Describe the bug
When using the
on_behalf_ofgrant type with Azure AD authentication, theAbstractRestClientOAuth2AccessTokenResponseClientincorrectly merges parameters from multiple converters (DefaultOAuth2TokenRequestParametersConverterandAadJwtBearerGrantRequestParameterConverter). This causes parameter values to be converted into lists instead of single values, resulting in duplicate grant type values being sent to the authorization server.Exception or Stack Trace
To Reproduce
on_behalf_ofgrant typeCode Snippet
The issue occurs in the
addParametersConverter()method inAbstractRestClientOAuth2AccessTokenResponseClient.java. When composing converters, the method usesMultiValueMap.addAll()which appends values to existing keys rather than replacing them:Expected behavior
Parameters should be properly merged such that when multiple converters provide the same parameter key, the final value should be a single string value, not a list. The grant type should appear once as
urn:ietf:params:oauth:grant-type:jwt-bearer, not duplicated.Setup (please complete the following information):
com.azure.spring:spring-cloud-azure-starter:7.0.0-beta.1