NimbusAuthorizationCodeTokenExchanger uses authorizationRequest.redirectUri

Fixes gh-4701

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusAuthorizationCodeTokenExchanger.java

@@ -76,7 +76,7 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 		// Build the authorization code grant request for the token endpoint
 		AuthorizationCode authorizationCode = new AuthorizationCode(
 			authorizationGrantRequest.getAuthorizationExchange().getAuthorizationResponse().getCode());
-		URI redirectUri = toURI(clientRegistration.getRedirectUri());
+		URI redirectUri = toURI(authorizationGrantRequest.getAuthorizationExchange().getAuthorizationRequest().getRedirectUri());
 		AuthorizationGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, redirectUri);
 		URI tokenUri = toURI(clientRegistration.getProviderDetails().getTokenUri());
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java

@@ -19,7 +19,6 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.util.Assert;
-import org.springframework.util.CollectionUtils;
 
 import java.util.Arrays;
 import java.util.Collections;
@@ -130,11 +129,6 @@ public final class ClientRegistration {
 		return new Builder(registrationId);
 	}
 
-	public static Builder from(ClientRegistration clientRegistration) {
-		Assert.notNull(clientRegistration, "clientRegistration cannot be null");
-		return new Builder(clientRegistration);
-	}
-
 	public static class Builder {
 		private String registrationId;
 		private String clientId;
@@ -154,24 +148,6 @@ public final class ClientRegistration {
 			this.registrationId = registrationId;
 		}
 
-		private Builder(ClientRegistration clientRegistration) {
-			this(clientRegistration.getRegistrationId());
-			this.clientId(clientRegistration.getClientId());
-			this.clientSecret(clientRegistration.getClientSecret());
-			this.clientAuthenticationMethod(clientRegistration.getClientAuthenticationMethod());
-			this.authorizationGrantType(clientRegistration.getAuthorizationGrantType());
-			this.redirectUri(clientRegistration.getRedirectUri());
-			if (!CollectionUtils.isEmpty(clientRegistration.getScopes())) {
-				this.scope(clientRegistration.getScopes().toArray(new String[0]));
-			}
-			this.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri());
-			this.tokenUri(clientRegistration.getProviderDetails().getTokenUri());
-			this.userInfoUri(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri());
-			this.userNameAttributeName(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName());
-			this.jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());
-			this.clientName(clientRegistration.getClientName());
-		}
-
 		public Builder clientId(String clientId) {
 			this.clientId = clientId;
 			return this;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java

@@ -124,17 +124,6 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce
 		String registrationId = (String)authorizationRequest.getAdditionalParameters().get(OAuth2ParameterNames.REGISTRATION_ID);
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
 
-		// The clientRegistration.redirectUri may contain Uri template variables, whether it's configured by
-		// the user or configured by default. In these cases, the redirectUri will be expanded and ultimately changed
-		// (by OAuth2AuthorizationRequestRedirectFilter) before setting it in the authorization request.
-		// The resulting redirectUri used for the authorization request and saved within the AuthorizationRequestRepository
-		// MUST BE the same one used to complete the authorization code flow.
-		// Therefore, we'll create a copy of the clientRegistration and override the redirectUri
-		// with the one contained in authorizationRequest.
-		clientRegistration = ClientRegistration.from(clientRegistration)
-			.redirectUri(authorizationRequest.getRedirectUri())
-			.build();
-
 		OAuth2LoginAuthenticationToken authenticationRequest = new OAuth2LoginAuthenticationToken(
 				clientRegistration, new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse));
 		authenticationRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));