Fix json deserialization of multi-valued authorization request parameters

Closes gh-1666

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ import org.springframework.security.oauth2.server.authorization.settings.OAuth2T
  * <li>{@link DurationMixin}</li>
  * <li>{@link JwsAlgorithmMixin}</li>
  * <li>{@link OAuth2TokenFormatMixin}</li>
+ * <li>{@link StringArrayMixin}</li>
  * </ul>
  *
  * If not already enabled, default typing will be automatically enabled as type info is
@@ -63,6 +64,7 @@ import org.springframework.security.oauth2.server.authorization.settings.OAuth2T
  * @see DurationMixin
  * @see JwsAlgorithmMixin
  * @see OAuth2TokenFormatMixin
+ * @see StringArrayMixin
  */
 public class OAuth2AuthorizationServerJackson2Module extends SimpleModule {
 
@@ -82,6 +84,7 @@ public class OAuth2AuthorizationServerJackson2Module extends SimpleModule {
 		context.setMixInAnnotations(SignatureAlgorithm.class, JwsAlgorithmMixin.class);
 		context.setMixInAnnotations(MacAlgorithm.class, JwsAlgorithmMixin.class);
 		context.setMixInAnnotations(OAuth2TokenFormat.class, OAuth2TokenFormatMixin.class);
+		context.setMixInAnnotations(String[].class, StringArrayMixin.class);
 	}
 
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2020-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.jackson2;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+/**
+ * This mixin class is used to serialize/deserialize {@link String} array.
+ *
+ * @author Nikola Jovanovic
+ * @since 1.2.6
+ * @see String
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+abstract class StringArrayMixin {
+
+	@JsonCreator
+	StringArrayMixin(String[] array) {
+	}
+
+}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,9 @@ public class OAuth2AuthorizationServerJackson2ModuleTests {
 	private static final TypeReference<Set<String>> STRING_SET = new TypeReference<Set<String>>() {
 	};
 
+	private static final TypeReference<String[]> STRING_ARRAY = new TypeReference<String[]>() {
+	};
+
 	private ObjectMapper objectMapper;
 
 	@BeforeEach
@@ -73,4 +76,12 @@ public class OAuth2AuthorizationServerJackson2ModuleTests {
 		assertThat(this.objectMapper.readValue(json, STRING_SET)).isEqualTo(set);
 	}
 
+	// gh-1666
+	@Test
+	public void readValueWhenStringArrayThenSuccess() throws Exception {
+		String[] array = new String[] { "one", "two" };
+		String json = this.objectMapper.writeValueAsString(array);
+		assertThat(this.objectMapper.readValue(json, STRING_ARRAY)).isEqualTo(array);
+	}
+
 }