Fix to save all values for multi-valued device grant parameters

Fixes gh-1269

Author: martin-lindstrom

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverter.java

@@ -110,7 +110,7 @@ public Authentication convert(HttpServletRequest request) {
 					!key.equals(OAuth2ParameterNames.USER_CODE) &&
 					!key.equals(OAuth2ParameterNames.STATE) &&
 					!key.equals(OAuth2ParameterNames.SCOPE)) {
-				additionalParameters.put(key, value.get(0));
+				additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0]));
 			}
 		});
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationRequestAuthenticationConverter.java

@@ -75,7 +75,7 @@ public Authentication convert(HttpServletRequest request) {
 		parameters.forEach((key, value) -> {
 			if (!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
 					!key.equals(OAuth2ParameterNames.SCOPE)) {
-				additionalParameters.put(key, value.get(0));
+				additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0]));
 			}
 		});
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceCodeAuthenticationConverter.java

@@ -74,7 +74,7 @@ public Authentication convert(HttpServletRequest request) {
 			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
 					!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
 					!key.equals(OAuth2ParameterNames.DEVICE_CODE)) {
-				additionalParameters.put(key, value.get(0));
+				additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0]));
 			}
 		});
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceVerificationAuthenticationConverter.java

@@ -80,7 +80,7 @@ public Authentication convert(HttpServletRequest request) {
 		Map<String, Object> additionalParameters = new HashMap<>();
 		parameters.forEach((key, value) -> {
 			if (!key.equals(OAuth2ParameterNames.USER_CODE)) {
-				additionalParameters.put(key, value.get(0));
+				additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0]));
 			}
 		});
 

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilterTests.java

@@ -195,6 +195,7 @@ public void doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationRespons
 
 		MockHttpServletRequest request = createRequest();
 		request.addParameter("custom-param-1", "custom-value-1");
+		request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 		this.filter.doFilter(request, response, filterChain);
@@ -211,7 +212,8 @@ public void doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationRespons
 		assertThat(deviceAuthorizationRequestAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
 		assertThat(deviceAuthorizationRequestAuthentication.getScopes()).isEmpty();
 		assertThat(deviceAuthorizationRequestAuthentication.getAdditionalParameters())
-				.containsExactly(entry("custom-param-1", "custom-value-1"));
+				.containsExactly(entry("custom-param-1", "custom-value-1"),
+					entry("custom-param-2", new String[] { "custom-value-2a", "custom-value-2b" }));
 		// @formatter:off
 		assertThat(deviceAuthorizationRequestAuthentication.getDetails())
 				.asInstanceOf(type(WebAuthenticationDetails.class))

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilterTests.java

@@ -187,6 +187,7 @@ public void doFilterWhenDeviceAuthorizationConsentRequestThenSuccess() throws Ex
 		request.addParameter(OAuth2ParameterNames.STATE, STATE);
 		request.addParameter(OAuth2ParameterNames.USER_CODE, USER_CODE);
 		request.addParameter("custom-param-1", "custom-value-1");
+		request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 		this.filter.doFilter(request, response, filterChain);
@@ -207,7 +208,7 @@ public void doFilterWhenDeviceAuthorizationConsentRequestThenSuccess() throws Ex
 		assertThat(deviceAuthorizationConsentAuthentication.getUserCode()).isEqualTo(USER_CODE);
 		assertThat(deviceAuthorizationConsentAuthentication.getScopes()).containsExactly("scope-1", "scope-2");
 		assertThat(deviceAuthorizationConsentAuthentication.getAdditionalParameters())
-				.containsExactly(entry("custom-param-1", "custom-value-1"));
+				.containsExactly(entry("custom-param-1", "custom-value-1"), entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" }));
 	}
 
 	@Test

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverterTests.java

@@ -246,7 +246,7 @@ public void convertWhenAllParametersThenReturnDeviceAuthorizationConsentAuthenti
 		request.addParameter(OAuth2ParameterNames.SCOPE, "message.read");
 		request.addParameter(OAuth2ParameterNames.SCOPE, "message.write");
 		request.addParameter("param-1", "value-1");
-		request.addParameter("param-2", "value-2");
+		request.addParameter("param-2", "value-2", "value-2b");
 
 		SecurityContextImpl securityContext = new SecurityContextImpl();
 		securityContext.setAuthentication(new TestingAuthenticationToken("user", null));
@@ -261,7 +261,8 @@ public void convertWhenAllParametersThenReturnDeviceAuthorizationConsentAuthenti
 		assertThat(authentication.getUserCode()).isEqualTo(USER_CODE);
 		assertThat(authentication.getScopes()).containsExactly("message.read", "message.write");
 		assertThat(authentication.getAdditionalParameters())
-				.containsExactly(entry("param-1", "value-1"), entry("param-2", "value-2"));
+				.containsExactly(entry("param-1", "value-1"),
+					entry("param-2", new String[]{"value-2", "value-2b"}));
 	}
 
 	@Test

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationRequestAuthenticationConverterTests.java

@@ -95,7 +95,7 @@ public void convertWhenAllParametersThenReturnDeviceAuthorizationRequestAuthenti
 		request.addParameter(OAuth2ParameterNames.CLIENT_ID, CLIENT_ID);
 		request.addParameter(OAuth2ParameterNames.SCOPE, "message.read message.write");
 		request.addParameter("param-1", "value-1");
-		request.addParameter("param-2", "value-2");
+		request.addParameter("param-2", "value-2", "value-2b");
 
 		SecurityContextImpl securityContext = new SecurityContextImpl();
 		securityContext.setAuthentication(new TestingAuthenticationToken(CLIENT_ID, null));
@@ -108,7 +108,8 @@ public void convertWhenAllParametersThenReturnDeviceAuthorizationRequestAuthenti
 		assertThat(authentication.getAuthorizationUri()).endsWith(AUTHORIZATION_URI);
 		assertThat(authentication.getScopes()).containsExactly("message.read", "message.write");
 		assertThat(authentication.getAdditionalParameters())
-				.containsExactly(entry("param-1", "value-1"), entry("param-2", "value-2"));
+				.containsExactly(entry("param-1", "value-1"),
+					entry("param-2", new String[]{"value-2", "value-2b"}));
 	}
 
 	private static MockHttpServletRequest createRequest() {

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceCodeAuthenticationConverterTests.java

@@ -102,7 +102,7 @@ public void convertWhenAllParametersThenReturnDeviceCodeAuthenticationToken() {
 		request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.DEVICE_CODE.getValue());
 		request.addParameter(OAuth2ParameterNames.DEVICE_CODE, DEVICE_CODE);
 		request.addParameter("param-1", "value-1");
-		request.addParameter("param-2", "value-2");
+		request.addParameter("param-2", "value-2", "value-2b");
 
 		SecurityContextImpl securityContext = new SecurityContextImpl();
 		securityContext.setAuthentication(new TestingAuthenticationToken(CLIENT_ID, null));
@@ -114,7 +114,8 @@ public void convertWhenAllParametersThenReturnDeviceCodeAuthenticationToken() {
 		assertThat(authentication.getDeviceCode()).isEqualTo(DEVICE_CODE);
 		assertThat(authentication.getPrincipal()).isInstanceOf(TestingAuthenticationToken.class);
 		assertThat(authentication.getAdditionalParameters())
-				.containsExactly(entry("param-1", "value-1"), entry("param-2", "value-2"));
+				.containsExactly(entry("param-1", "value-1"),
+					entry("param-2", new String[]{"value-2", "value-2b"}));
 	}
 
 	private static MockHttpServletRequest createRequest() {

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceVerificationAuthenticationConverterTests.java

@@ -144,7 +144,7 @@ public void convertWhenAllParametersThenReturnDeviceVerificationAuthentication()
 		MockHttpServletRequest request = createRequest();
 		request.addParameter(OAuth2ParameterNames.USER_CODE, USER_CODE);
 		request.addParameter("param-1", "value-1");
-		request.addParameter("param-2", "value-2");
+		request.addParameter("param-2", "value-2", "value-2b");
 
 		SecurityContextImpl securityContext = new SecurityContextImpl();
 		securityContext.setAuthentication(new TestingAuthenticationToken("user", null));
@@ -156,7 +156,8 @@ public void convertWhenAllParametersThenReturnDeviceVerificationAuthentication()
 		assertThat(authentication.getPrincipal()).isInstanceOf(TestingAuthenticationToken.class);
 		assertThat(authentication.getUserCode()).isEqualTo(USER_CODE);
 		assertThat(authentication.getAdditionalParameters())
-				.containsExactly(entry("param-1", "value-1"), entry("param-2", "value-2"));
+				.containsExactly(entry("param-1", "value-1"),
+					entry("param-2", new String[]{"value-2", "value-2b"}));
 	}
 
 	private static MockHttpServletRequest createRequest() {