After version 1.1.1, when continue parameter is prefilled, it is not possible to call the endpoint /token

[Daniel100262]

Describe the bug
After version 1.1.1, an implementation was changed and is causing a bug when parameter continue is submitted with URL. This implementation occours in class OAuth2AuthorizationCodeRequestAuthenticationConverter in line 141 .

After this, the request is being converted from an arraylist to a array of String, as below:

After that, when the repository looks on database table for the authorization code to perform the exchange for a token, he find this on column attributes of oauth2_authorization table:

&continue=%5BLjava.lang.String;@a598662

Then the String array has no serializer registered and the following error occurs:

Spring Security bug in "continue" parameter related here maybe affect that issue: spring-projects/spring-security#13438

To Reproduce
Make an request to authorize endpoint with "continue" parameter using authorization code flow. After that, make an request to "token" endpoint to perform the exchange for a token.

Expected behavior
Make the exchange without any issues.

[jgrandja]

@Daniel100262 I ran the demo sample, which appends the continue parameter (see attached), but was not able to reproduce the error.

Did you try it with the demo sample? Please provide more detailed steps on how to reproduce.

[Daniel100262]

Hello @jgrandja, I solved this problem by upgrading from Spring Boot from 3.1.1 to 3.1.2. This updates Spring Security to version 6.1.2, where there is already a fix for the "continue" case, which also solves the desserialization problem.

If anyone else is having this type of problem, this would be the solution.