Polish gh-88

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -19,9 +19,11 @@ import org.springframework.beans.factory.BeanFactoryUtils;
 import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
@@ -32,6 +34,7 @@ import org.springframework.security.oauth2.server.authorization.web.OAuth2Author
 import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.util.Assert;
@@ -89,12 +92,22 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
 				new OAuth2AuthorizationCodeAuthenticationProvider(
 						getRegisteredClientRepository(builder),
 						getAuthorizationService(builder));
-
-		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider
-				= new OAuth2ClientCredentialsAuthenticationProvider();
-
 		builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
+
+		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider =
+				new OAuth2ClientCredentialsAuthenticationProvider(
+						getAuthorizationService(builder));
 		builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
+
+		ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptionHandling != null) {
+			// Register the default AuthenticationEntryPoint for the token endpoint
+			exceptionHandling.defaultAuthenticationEntryPointFor(
+					new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
+					new AntPathRequestMatcher(
+							OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI,
+							HttpMethod.POST.name()));
+		}
 	}
 
 	@Override

core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java

@@ -210,7 +210,6 @@ public class OAuth2Authorization implements Serializable {
 		 */
 		public OAuth2Authorization build() {
 			Assert.hasText(this.principalName, "principalName cannot be empty");
-			Assert.notNull(this.attributes.get(OAuth2AuthorizationAttributeNames.CODE), "authorization code cannot be null");
 
 			OAuth2Authorization authorization = new OAuth2Authorization();
 			authorization.registeredClientId = this.registeredClientId;

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java

@@ -15,11 +15,6 @@
  */
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Base64;
-import java.util.Set;
-
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -29,6 +24,18 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Base64;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 /**
  * An {@link AuthenticationProvider} implementation for the OAuth 2.0 Client Credentials Grant.
@@ -36,46 +43,63 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
  * @author Alexey Nesterov
  * @since 0.0.1
  * @see OAuth2ClientCredentialsAuthenticationToken
+ * @see OAuth2AccessTokenAuthenticationToken
+ * @see OAuth2AuthorizationService
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4.2">Section 4.4.2 Access Token Request</a>
  */
-
 public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
-
+	private final OAuth2AuthorizationService authorizationService;
 	private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 
+	/**
+	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationProvider} using the provided parameters.
+	 *
+	 * @param authorizationService the authorization service
+	 */
+	public OAuth2ClientCredentialsAuthenticationProvider(OAuth2AuthorizationService authorizationService) {
+		Assert.notNull(authorizationService, "authorizationService cannot be null");
+		this.authorizationService = authorizationService;
+	}
+
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthenticationToken =
+		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
 				(OAuth2ClientCredentialsAuthenticationToken) authentication;
 
 		OAuth2ClientAuthenticationToken clientPrincipal = null;
-		if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthenticationToken.getPrincipal().getClass())) {
+		if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthentication.getPrincipal().getClass())) {
-			clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthenticationToken.getPrincipal();
+			clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthentication.getPrincipal();
 		}
-
 		if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) {
 			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
 		}
+		RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
 
-		Set<String> clientScopes = clientPrincipal.getRegisteredClient().getScopes();
+		Set<String> scopes = registeredClient.getScopes();		// Default to configured scopes
-		Set<String> requestedScopes = clientCredentialsAuthenticationToken.getScopes();
+		if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
-		if (!clientScopes.containsAll(requestedScopes)) {
+			Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()
+					.filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope))
+					.collect(Collectors.toSet());
+			if (!CollectionUtils.isEmpty(unauthorizedScopes)) {
 				throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
 			}
-
+			scopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
-		if (requestedScopes == null || requestedScopes.isEmpty()) {
-			requestedScopes = clientScopes;
 		}
 
 		String tokenValue = this.accessTokenGenerator.generateKey();
 		Instant issuedAt = Instant.now();
 		Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS);		// TODO Allow configuration for access token lifespan
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
-				tokenValue, issuedAt, expiresAt, requestedScopes);
+				tokenValue, issuedAt, expiresAt, scopes);
 
-		return new OAuth2AccessTokenAuthenticationToken(
+		OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
-				clientPrincipal.getRegisteredClient(), clientPrincipal, accessToken);
+				.principalName(clientPrincipal.getName())
+				.accessToken(accessToken)
+				.build();
+		this.authorizationService.save(authorization);
+
+		return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken);
 	}
 
 	@Override

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java

@@ -13,48 +13,52 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.util.Collections;
-import java.util.Set;
-
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.server.authorization.Version;
 import org.springframework.util.Assert;
 
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
 /**
  * An {@link Authentication} implementation used for the OAuth 2.0 Client Credentials Grant.
  *
  * @author Alexey Nesterov
  * @since 0.0.1
- * @see Authentication
+ * @see AbstractAuthenticationToken
  * @see OAuth2ClientCredentialsAuthenticationProvider
+ * @see OAuth2ClientAuthenticationToken
  */
 public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
-
 	private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
-
 	private final Authentication clientPrincipal;
 	private final Set<String> scopes;
 
+	/**
+	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
+	 *
+	 * @param clientPrincipal the authenticated client principal
+	 */
+	public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal) {
+		this(clientPrincipal, Collections.emptySet());
+	}
+
+	/**
+	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
+	 *
+	 * @param clientPrincipal the authenticated client principal
+	 * @param scopes the requested scope(s)
+	 */
 	public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal, Set<String> scopes) {
 		super(Collections.emptyList());
 		Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
 		Assert.notNull(scopes, "scopes cannot be null");
 		this.clientPrincipal = clientPrincipal;
-		this.scopes = scopes;
+		this.scopes = Collections.unmodifiableSet(new LinkedHashSet<>(scopes));
-	}
-
-	@SuppressWarnings("unchecked")
-	public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal) {
-		this(clientPrincipal, Collections.EMPTY_SET);
-	}
-
-	@Override
-	public Object getCredentials() {
-		return "";
 	}
 
 	@Override
@@ -62,6 +66,16 @@ public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenti
 		return this.clientPrincipal;
 	}
 
+	@Override
+	public Object getCredentials() {
+		return "";
+	}
+
+	/**
+	 * Returns the requested scope(s).
+	 *
+	 * @return the requested scope(s), or an empty {@code Set} if not available
+	 */
 	public Set<String> getScopes() {
 		return this.scopes;
 	}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/DelegatingAuthorizationGrantAuthenticationConverter.java

@@ -13,13 +13,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.web;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.Collections;
-import java.util.Map;
-
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
@@ -27,31 +22,43 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
 /**
- * A {@link Converter} that delegates actual conversion to one of the provided converters based on grant_type param of a request.
+ * A {@link Converter} that selects (and delegates) to one of the internal {@code Map} of {@link Converter}'s
- * Returns null is grant type is not specified or not supported.
+ * using the {@link OAuth2ParameterNames#GRANT_TYPE} request parameter.
  *
  * @author Alexey Nesterov
  * @since 0.0.1
  */
 public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
-
 	private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters;
 
-	public DelegatingAuthorizationGrantAuthenticationConverter(Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
+	/**
+	 * Constructs a {@code DelegatingAuthorizationGrantAuthenticationConverter} using the provided parameters.
+	 *
+	 * @param converters a {@code Map} of {@link Converter}(s)
+	 */
+	public DelegatingAuthorizationGrantAuthenticationConverter(
+			Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
 		Assert.notEmpty(converters, "converters cannot be empty");
-
+		this.converters = Collections.unmodifiableMap(new HashMap<>(converters));
-		this.converters = Collections.unmodifiableMap(converters);
 	}
 
 	@Override
 	public Authentication convert(HttpServletRequest request) {
+		Assert.notNull(request, "request cannot be null");
+
 		String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
 		if (StringUtils.isEmpty(grantType)) {
 			return null;
 		}
 
-		Converter<HttpServletRequest, Authentication> converter = this.converters.get(new AuthorizationGrantType(grantType));
+		Converter<HttpServletRequest, Authentication> converter =
+				this.converters.get(new AuthorizationGrantType(grantType));
 		if (converter == null) {
 			return null;
 		}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java

@@ -35,7 +35,6 @@ import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMe
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
-import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -94,7 +93,6 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 	private final OAuth2AuthorizationService authorizationService;
 	private final RequestMatcher tokenEndpointMatcher;
 	private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter;
-
 	private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
 			new OAuth2AccessTokenResponseHttpMessageConverter();
 	private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter =
@@ -126,7 +124,6 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 		this.authenticationManager = authenticationManager;
 		this.authorizationService = authorizationService;
 		this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name());
-
 		Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters = new HashMap<>();
 		converters.put(AuthorizationGrantType.AUTHORIZATION_CODE, new AuthorizationCodeAuthenticationConverter());
 		converters.put(AuthorizationGrantType.CLIENT_CREDENTIALS, new ClientCredentialsAuthenticationConverter());
@@ -144,18 +141,19 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 
 		try {
 			String[] grantTypes = request.getParameterValues(OAuth2ParameterNames.GRANT_TYPE);
-			if (grantTypes == null || grantTypes.length == 0) {
+			if (grantTypes == null || grantTypes.length != 1) {
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, "grant_type");
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE);
 			}
 
 			Authentication authorizationGrantAuthentication = this.authorizationGrantAuthenticationConverter.convert(request);
 			if (authorizationGrantAuthentication == null) {
-				throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, "grant_type");
+				throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
 			}
 
 			OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
 					(OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication);
 			sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken());
+
 		} catch (OAuth2AuthenticationException ex) {
 			SecurityContextHolder.clearContext();
 			sendErrorResponse(response, ex.getError());
@@ -191,18 +189,14 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 
 		@Override
 		public Authentication convert(HttpServletRequest request) {
-			MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
-
 			// grant_type (REQUIRED)
-			String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE);
+			String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
-			if (!StringUtils.hasText(grantType) ||
-					parameters.get(OAuth2ParameterNames.GRANT_TYPE).size() != 1) {
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE);
-			}
 			if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantType)) {
-				throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
+				return null;
 			}
 
+			MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
+
 			// client_id (REQUIRED)
 			String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
 			Authentication clientPrincipal = null;
@@ -239,24 +233,29 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 
 		@Override
 		public Authentication convert(HttpServletRequest request) {
-			final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-			final OAuth2ClientAuthenticationToken clientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
-
 			// grant_type (REQUIRED)
 			String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
 			if (!AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equals(grantType)) {
-				throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
+				return null;
 			}
 
+			Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+
+			MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
+
 			// scope (OPTIONAL)
-			// https://tools.ietf.org/html/rfc6749#section-4.4.2
+			String scope = parameters.getFirst(OAuth2ParameterNames.SCOPE);
-			String scopeParameter = request.getParameter(OAuth2ParameterNames.SCOPE);
+			if (StringUtils.hasText(scope) &&
-			if (StringUtils.isEmpty(scopeParameter)) {
+					parameters.get(OAuth2ParameterNames.SCOPE).size() != 1) {
-				return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken);
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.SCOPE);
+			}
+			if (StringUtils.hasText(scope)) {
+				Set<String> requestedScopes = new HashSet<>(
+						Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
+				return new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScopes);
 			}
 
-			Set<String> requestedScopes = new HashSet<>(Arrays.asList(StringUtils.delimitedListToStringArray(scopeParameter, " ")));
+			return new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
-			return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken, requestedScopes);
 		}
 	}
 }

core/src/test/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationTests.java

@@ -75,15 +75,6 @@ public class OAuth2AuthorizationTests {
 				.hasMessage("principalName cannot be empty");
 	}
 
-	@Test
-	public void buildWhenAuthorizationCodeNotProvidedThenThrowIllegalArgumentException() {
-		assertThatThrownBy(() ->
-				OAuth2Authorization.withRegisteredClient(REGISTERED_CLIENT)
-						.principalName(PRINCIPAL_NAME).build())
-				.isInstanceOf(IllegalArgumentException.class)
-				.hasMessage("authorization code cannot be null");
-	}
-
 	@Test
 	public void attributeWhenNameNullThenThrowIllegalArgumentException() {
 		assertThatThrownBy(() ->

core/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java

@@ -13,104 +13,130 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.util.Collections;
-
 import org.junit.Before;
 import org.junit.Test;
-
+import org.mockito.ArgumentCaptor;
-import org.springframework.security.core.Authentication;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 
+import java.util.Collections;
+import java.util.Set;
+
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
 
 /**
+ * Tests for {@link OAuth2ClientCredentialsAuthenticationProvider}.
+ *
  * @author Alexey Nesterov
+ * @author Joe Grandja
  */
 public class OAuth2ClientCredentialsAuthenticationProviderTests {
-
+	private RegisteredClient registeredClient;
-	private static final RegisteredClient EXISTING_CLIENT = TestRegisteredClients.registeredClient().build();
+	private OAuth2AuthorizationService authorizationService;
 	private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider;
 
 	@Before
 	public void setUp() {
-		this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider();
+		this.registeredClient = TestRegisteredClients.registeredClient().build();
+		this.authorizationService = mock(OAuth2AuthorizationService.class);
+		this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider(this.authorizationService);
 	}
 
 	@Test
-	public void supportsWhenSupportedClassThenTrue() {
+	public void constructorWhenAuthorizationServiceNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationProvider(null))
+				.isInstanceOf(IllegalArgumentException.class)
+				.hasMessage("authorizationService cannot be null");
+	}
+
+	@Test
+	public void supportsWhenSupportedAuthenticationThenTrue() {
 		assertThat(this.authenticationProvider.supports(OAuth2ClientCredentialsAuthenticationToken.class)).isTrue();
 	}
 
 	@Test
-	public void supportsWhenUnsupportedClassThenFalse() {
+	public void supportsWhenUnsupportedAuthenticationThenFalse() {
-		assertThat(this.authenticationProvider.supports(OAuth2AuthorizationCodeAuthenticationProvider.class)).isFalse();
+		assertThat(this.authenticationProvider.supports(OAuth2AuthorizationCodeAuthenticationToken.class)).isFalse();
 	}
 
 	@Test
-	public void authenticateWhenValidAuthenticationThenReturnTokenWithClient() {
+	public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() {
-		Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
+		TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken(
-		assertThat(authentication).isInstanceOf(OAuth2AccessTokenAuthenticationToken.class);
+				this.registeredClient.getClientId(), this.registeredClient.getClientSecret());
-
+		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
-		OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
-		assertThat(token.getRegisteredClient()).isEqualTo(EXISTING_CLIENT);
-	}
-
-	@Test
-	public void authenticateWhenValidAuthenticationThenGenerateTokenValue() {
-		Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
-		OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
-		assertThat(token.getAccessToken().getTokenValue()).isNotBlank();
-	}
-
-	@Test
-	public void authenticateWhenValidateScopeThenReturnTokenWithScopes() {
-		Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
-		OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
-		assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
-	}
-
-	@Test
-	public void authenticateWhenNoScopeRequestedThenUseDefaultScopes() {
-		OAuth2ClientCredentialsAuthenticationToken authenticationToken = new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT));
-		Authentication authentication = this.authenticationProvider.authenticate(authenticationToken);
-		OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
-		assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
-	}
-
-	@Test
-	public void authenticateWhenInvalidSecretThenThrowException() {
-		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
-				new OAuth2ClientAuthenticationToken(EXISTING_CLIENT.getClientId(), "not-a-valid-secret"));
 
 		assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
-				.isInstanceOf(OAuth2AuthenticationException.class);
+				.isInstanceOf(OAuth2AuthenticationException.class)
+				.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
+				.extracting("errorCode")
+				.isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
 	}
 
 	@Test
-	public void authenticateWhenNonExistingClientThenThrowException() {
+	public void authenticateWhenClientPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
-		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
+		OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
-				new OAuth2ClientAuthenticationToken("another-client-id", "another-secret"));
+				this.registeredClient.getClientId(), this.registeredClient.getClientSecret());
+		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
 
 		assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
-				.isInstanceOf(OAuth2AuthenticationException.class);
+				.isInstanceOf(OAuth2AuthenticationException.class)
+				.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
+				.extracting("errorCode")
+				.isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
 	}
 
 	@Test
-	public void authenticateWhenInvalidScopesThenThrowException() {
+	public void authenticateWhenInvalidScopeThenThrowOAuth2AuthenticationException() {
+		OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient);
 		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
-				new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), Collections.singleton("non-existing-scope"));
+				clientPrincipal, Collections.singleton("invalid-scope"));
 
 		assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
-				.isInstanceOf(OAuth2AuthenticationException.class);
+				.isInstanceOf(OAuth2AuthenticationException.class)
+				.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
+				.extracting("errorCode")
+				.isEqualTo(OAuth2ErrorCodes.INVALID_SCOPE);
 	}
 
-	private OAuth2ClientCredentialsAuthenticationToken getAuthentication() {
+	@Test
-		return new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), EXISTING_CLIENT.getScopes());
+	public void authenticateWhenScopeRequestedThenAccessTokenContainsScope() {
+		OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient);
+		Set<String> requestedScope = Collections.singleton("openid");
+		OAuth2ClientCredentialsAuthenticationToken authentication =
+				new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope);
+
+		OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
+				(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
+		assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(requestedScope);
+	}
+
+	@Test
+	public void authenticateWhenValidAuthenticationThenReturnAccessToken() {
+		OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient);
+		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
+
+		OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
+				(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
+
+		ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
+		verify(this.authorizationService).save(authorizationCaptor.capture());
+		OAuth2Authorization authorization = authorizationCaptor.getValue();
+
+		assertThat(authorization.getRegisteredClientId()).isEqualTo(clientPrincipal.getRegisteredClient().getId());
+		assertThat(authorization.getPrincipalName()).isEqualTo(clientPrincipal.getName());
+		assertThat(authorization.getAccessToken()).isNotNull();
+		assertThat(authorization.getAccessToken().getScopes()).isEqualTo(clientPrincipal.getRegisteredClient().getScopes());
+		assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
+		assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(authorization.getAccessToken());
 	}
 }

core/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationTokenTests.java

@@ -13,24 +13,23 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.authentication;
 
+import org.junit.Test;
+import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
+
 import java.util.Collections;
 import java.util.Set;
 
-import org.junit.Test;
-
-import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 /**
+ * Tests for {@link OAuth2ClientCredentialsAuthenticationToken}.
+ *
  * @author Alexey Nesterov
  */
 public class OAuth2ClientCredentialsAuthenticationTokenTests {
-
 	private final OAuth2ClientAuthenticationToken clientPrincipal =
 			new OAuth2ClientAuthenticationToken(TestRegisteredClients.registeredClient().build());
 
@@ -43,15 +42,15 @@ public class OAuth2ClientCredentialsAuthenticationTokenTests {
 
 	@Test
 	public void constructorWhenScopesNullThenThrowIllegalArgumentException() {
-		assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null))
+		assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(this.clientPrincipal, null))
 				.isInstanceOf(IllegalArgumentException.class)
 				.hasMessage("scopes cannot be null");
 	}
 
 	@Test
 	public void constructorWhenClientPrincipalProvidedThenCreated() {
-		OAuth2ClientCredentialsAuthenticationToken authentication
+		OAuth2ClientCredentialsAuthenticationToken authentication =
-				= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
+				new OAuth2ClientCredentialsAuthenticationToken(this.clientPrincipal);
 
 		assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
 		assertThat(authentication.getCredentials().toString()).isEmpty();
@@ -62,12 +61,11 @@ public class OAuth2ClientCredentialsAuthenticationTokenTests {
 	public void constructorWhenScopesProvidedThenCreated() {
 		Set<String> expectedScopes = Collections.singleton("test-scope");
 
-		OAuth2ClientCredentialsAuthenticationToken authentication
+		OAuth2ClientCredentialsAuthenticationToken authentication =
-				= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, expectedScopes);
+				new OAuth2ClientCredentialsAuthenticationToken(this.clientPrincipal, expectedScopes);
 
 		assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
 		assertThat(authentication.getCredentials().toString()).isEmpty();
-		assertThat(authentication.getScopes()).containsAll(expectedScopes);
+		assertThat(authentication.getScopes()).isEqualTo(expectedScopes);
 	}
-
 }

core/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java

@@ -40,10 +40,13 @@ public class TestRegisteredClients {
 				.clientId("client-2")
 				.clientSecret("secret")
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
 				.redirectUri("https://example.com")
 				.scope("openid")
 				.scope("profile")
-				.scope("email");
+				.scope("email")
+				.scope("scope1")
+				.scope("scope2");
 	}
 }

core/src/test/java/org/springframework/security/oauth2/server/authorization/web/DelegatingAuthorizationGrantAuthenticationConverterTests.java

@@ -13,84 +13,102 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.web;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.Collections;
-import java.util.Map;
-
 import org.junit.Before;
 import org.junit.Test;
-
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collections;
+import java.util.Map;
+
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 
 /**
+ * Tests for {@link DelegatingAuthorizationGrantAuthenticationConverter}.
+ *
  * @author Alexey Nesterov
  */
 public class DelegatingAuthorizationGrantAuthenticationConverterTests {
-
+	private Converter<HttpServletRequest, Authentication> clientCredentialsAuthenticationConverter;
 	private DelegatingAuthorizationGrantAuthenticationConverter authenticationConverter;
-	private Converter<HttpServletRequest, Authentication> clientCredentialsConverterMock;
 
 	@Before
 	public void setUp() {
-		clientCredentialsConverterMock = mock(Converter.class);
+		this.clientCredentialsAuthenticationConverter = mock(Converter.class);
-		Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters
+		Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters =
-				= Collections.singletonMap(AuthorizationGrantType.CLIENT_CREDENTIALS, clientCredentialsConverterMock);
+				Collections.singletonMap(AuthorizationGrantType.CLIENT_CREDENTIALS, this.clientCredentialsAuthenticationConverter);
-		authenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
+		this.authenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
 	}
 
 	@Test
-	public void convertWhenAuthorizationGrantTypeSupportedThenConverterCalled() {
+	public void constructorWhenConvertersEmptyThenThrowIllegalArgumentException() {
-		MockHttpServletRequest request = MockMvcRequestBuilders
+		assertThatThrownBy(() -> new DelegatingAuthorizationGrantAuthenticationConverter(Collections.emptyMap()))
-				.post("/oauth/token")
+				.isInstanceOf(IllegalArgumentException.class)
-				.param("grant_type", "client_credentials")
+				.hasMessage("converters cannot be empty");
-				.buildRequest(new MockServletContext());
-
-		OAuth2ClientAuthenticationToken expectedAuthentication = new OAuth2ClientAuthenticationToken("id", "secret");
-		when(clientCredentialsConverterMock.convert(request)).thenReturn(expectedAuthentication);
-
-		Authentication actualAuthentication = authenticationConverter.convert(request);
-
-		verify(clientCredentialsConverterMock).convert(request);
-		assertThat(actualAuthentication).isEqualTo(expectedAuthentication);
 	}
 
 	@Test
-	public void convertWhenAuthorizationGrantTypeNotSupportedThenNull() {
+	public void convertWhenRequestNullThenThrowIllegalArgumentException() {
-		MockHttpServletRequest request = MockMvcRequestBuilders
+		assertThatThrownBy(() -> this.authenticationConverter.convert(null))
-				.post("/oauth/token")
+				.isInstanceOf(IllegalArgumentException.class)
-				.param("grant_type", "authorization_code")
+				.hasMessage("request cannot be null");
-				.buildRequest(new MockServletContext());
-
-		Authentication actualAuthentication = authenticationConverter.convert(request);
-
-		verifyNoInteractions(clientCredentialsConverterMock);
-		assertThat(actualAuthentication).isNull();
 	}
 
 	@Test
-	public void convertWhenNoAuthorizationGrantTypeThenNull() {
+	public void convertWhenGrantTypeMissingThenNull() {
 		MockHttpServletRequest request = MockMvcRequestBuilders
-				.post("/oauth/token")
+				.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
 				.buildRequest(new MockServletContext());
 
-		Authentication actualAuthentication = authenticationConverter.convert(request);
+		Authentication authentication = this.authenticationConverter.convert(request);
+		assertThat(authentication).isNull();
+		verifyNoInteractions(this.clientCredentialsAuthenticationConverter);
+	}
 
-		verifyNoInteractions(clientCredentialsConverterMock);
+	@Test
-		assertThat(actualAuthentication).isNull();
+	public void convertWhenGrantTypeUnsupportedThenNull() {
+		MockHttpServletRequest request = MockMvcRequestBuilders
+				.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
+				.param(OAuth2ParameterNames.GRANT_TYPE, "extension_grant_type")
+				.buildRequest(new MockServletContext());
+
+		Authentication authentication = this.authenticationConverter.convert(request);
+		assertThat(authentication).isNull();
+		verifyNoInteractions(this.clientCredentialsAuthenticationConverter);
+	}
+
+	@Test
+	public void convertWhenGrantTypeSupportedThenConverterCalled() {
+		OAuth2ClientCredentialsAuthenticationToken expectedAuthentication =
+				new OAuth2ClientCredentialsAuthenticationToken(
+						new OAuth2ClientAuthenticationToken(
+								TestRegisteredClients.registeredClient().build()));
+		when(this.clientCredentialsAuthenticationConverter.convert(any())).thenReturn(expectedAuthentication);
+
+		MockHttpServletRequest request = MockMvcRequestBuilders
+				.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
+				.buildRequest(new MockServletContext());
+
+		Authentication authentication = this.authenticationConverter.convert(request);
+		assertThat(authentication).isEqualTo(expectedAuthentication);
+		verify(this.clientCredentialsAuthenticationConverter).convert(request);
 	}
 }

core/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientCredentialsGrantTests.java

@@ -13,42 +13,49 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.web;
 
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
+import org.springframework.http.HttpHeaders;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.oauth2.server.authorization.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 import org.springframework.test.web.servlet.MockMvc;
 
-import static org.hamcrest.CoreMatchers.endsWith;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.reset;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
-import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
+ * Integration tests for the OAuth 2.0 Client Credentials Grant.
+ *
  * @author Alexey Nesterov
  */
 public class OAuth2ClientCredentialsGrantTests {
-
 	private static RegisteredClientRepository registeredClientRepository;
 	private static OAuth2AuthorizationService authorizationService;
 
@@ -71,35 +78,46 @@ public class OAuth2ClientCredentialsGrantTests {
 	}
 
 	@Test
-	public void requestWhenTokenRequestAuthenticatedThenThenReturnTokenAndScope() throws Exception {
+	public void requestWhenTokenRequestNotAuthenticatedThenUnauthorized() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
-		RegisteredClient client = TestRegisteredClients.registeredClient().build();
-		when(registeredClientRepository.findByClientId(client.getClientId()))
-				.thenReturn(client);
 
 		this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
-					.with(httpBasic(client.getClientId(), client.getClientSecret()))
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
-					.with(csrf())
+				.with(csrf()))
-					.param("grant_type", "client_credentials")
+				.andExpect(status().isUnauthorized());
-					.param("scope", "email openid"))
+
-				.andExpect(status().isOk())
+		verifyNoInteractions(registeredClientRepository);
-				.andExpect(jsonPath("$.access_token").isNotEmpty())
+		verifyNoInteractions(authorizationService);
-				.andExpect(jsonPath("$.scope").value("openid email"));
 	}
 
 	@Test
-	public void requestWhenTokenRequestNotAuthenticatedThenRedirect() throws Exception {
+	public void requestWhenTokenRequestValidThenTokenResponse() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
-		RegisteredClient client = TestRegisteredClients.registeredClient().build();
+
-		when(registeredClientRepository.findByClientId(client.getClientId()))
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
-				.thenReturn(client);
+		when(registeredClientRepository.findByClientId(eq(registeredClient.getClientId())))
+				.thenReturn(registeredClient);
 
 		this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
-				.with(csrf())
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
-				.param("grant_type", "client_credentials")
+				.param(OAuth2ParameterNames.SCOPE, "scope1 scope2")
-				.param("scope", "email openid"))
+				.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
-				.andExpect(status().isFound())
+						registeredClient.getClientId(), registeredClient.getClientSecret()))
-				.andExpect(header().string("Location", endsWith("/login")));
+				.with(csrf()))
+				.andExpect(status().isOk())
+				.andExpect(jsonPath("$.access_token").isNotEmpty())
+				.andExpect(jsonPath("$.scope").value("scope1 scope2"));
+
+		verify(registeredClientRepository).findByClientId(eq(registeredClient.getClientId()));
+		verify(authorizationService).save(any());
+	}
+
+	private static String encodeBasicAuth(String clientId, String secret) throws Exception {
+		clientId = URLEncoder.encode(clientId, StandardCharsets.UTF_8.name());
+		secret = URLEncoder.encode(secret, StandardCharsets.UTF_8.name());
+		String credentialsString = clientId + ":" + secret;
+		byte[] encodedBytes = Base64.getEncoder().encode(credentialsString.getBytes(StandardCharsets.UTF_8));
+		return new String(encodedBytes, StandardCharsets.UTF_8);
 	}
 
 	@EnableWebSecurity

core/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java

@@ -19,7 +19,6 @@ import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
-
 import org.springframework.http.HttpStatus;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.mock.http.client.MockClientHttpResponse;
@@ -44,17 +43,15 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
+import org.springframework.util.StringUtils;
 
 import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.HashSet;
-import java.util.function.Consumer;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -140,58 +137,77 @@ public class OAuth2TokenEndpointFilterTests {
 
 	@Test
 	public void doFilterWhenTokenRequestMissingGrantTypeThenInvalidRequestError() throws Exception {
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
+				TestRegisteredClients.registeredClient().build());
+		request.removeParameter(OAuth2ParameterNames.GRANT_TYPE);
+
 		doFilterWhenTokenRequestInvalidParameterThenError(
-				OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST,
+				OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST, request);
-				request -> request.removeParameter(OAuth2ParameterNames.GRANT_TYPE));
 	}
 
 	@Test
 	public void doFilterWhenTokenRequestMultipleGrantTypeThenInvalidRequestError() throws Exception {
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
+				TestRegisteredClients.registeredClient().build());
+		request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
+
 		doFilterWhenTokenRequestInvalidParameterThenError(
-				OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST,
+				OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST, request);
-				request -> request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()));
 	}
 
 	@Test
 	public void doFilterWhenTokenRequestInvalidGrantTypeThenUnsupportedGrantTypeError() throws Exception {
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
+				TestRegisteredClients.registeredClient().build());
+		request.setParameter(OAuth2ParameterNames.GRANT_TYPE, "invalid-grant-type");
+
 		doFilterWhenTokenRequestInvalidParameterThenError(
-				OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE,
+				OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, request);
-				request -> request.setParameter(OAuth2ParameterNames.GRANT_TYPE, "invalid-grant-type"));
 	}
 
 	@Test
 	public void doFilterWhenTokenRequestMultipleClientIdThenInvalidRequestError() throws Exception {
-		doFilterWhenTokenRequestInvalidParameterThenError(
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
-				OAuth2ParameterNames.CLIENT_ID, OAuth2ErrorCodes.INVALID_REQUEST,
+				TestRegisteredClients.registeredClient().build());
-				request -> {
 		request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-1");
 		request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-2");
-				});
+
+		doFilterWhenTokenRequestInvalidParameterThenError(
+				OAuth2ParameterNames.CLIENT_ID, OAuth2ErrorCodes.INVALID_REQUEST, request);
 	}
 
 	@Test
 	public void doFilterWhenTokenRequestMissingCodeThenInvalidRequestError() throws Exception {
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
+				TestRegisteredClients.registeredClient().build());
+		request.removeParameter(OAuth2ParameterNames.CODE);
+
 		doFilterWhenTokenRequestInvalidParameterThenError(
-				OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST,
+				OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST, request);
-				request -> request.removeParameter(OAuth2ParameterNames.CODE));
 	}
 
 	@Test
 	public void doFilterWhenTokenRequestMultipleCodeThenInvalidRequestError() throws Exception {
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
+				TestRegisteredClients.registeredClient().build());
+		request.addParameter(OAuth2ParameterNames.CODE, "code-2");
+
 		doFilterWhenTokenRequestInvalidParameterThenError(
-				OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST,
+				OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST, request);
-				request -> request.addParameter(OAuth2ParameterNames.CODE, "code-2"));
 	}
 
 	@Test
 	public void doFilterWhenTokenRequestMultipleRedirectUriThenInvalidRequestError() throws Exception {
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
+				TestRegisteredClients.registeredClient().build());
+		request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "https://example2.com");
+
 		doFilterWhenTokenRequestInvalidParameterThenError(
-				OAuth2ParameterNames.REDIRECT_URI, OAuth2ErrorCodes.INVALID_REQUEST,
+				OAuth2ParameterNames.REDIRECT_URI, OAuth2ErrorCodes.INVALID_REQUEST, request);
-				request -> request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "https://example2.com"));
 	}
 
 	@Test
-	public void doFilterWhenTokenRequestValidThenAccessTokenResponse() throws Exception {
+	public void doFilterWhenAuthorizationCodeTokenRequestValidThenAccessTokenResponse() throws Exception {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(
@@ -208,7 +224,7 @@ public class OAuth2TokenEndpointFilterTests {
 		securityContext.setAuthentication(clientPrincipal);
 		SecurityContextHolder.setContext(securityContext);
 
-		MockHttpServletRequest request = createTokenRequest(registeredClient);
+		MockHttpServletRequest request = createAuthorizationCodeTokenRequest(registeredClient);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 
@@ -242,38 +258,24 @@ public class OAuth2TokenEndpointFilterTests {
 	}
 
 	@Test
-	public void doFilterWhenGrantTypeIsClientCredentialsThenAuthenticateWithClientCredentialsToken() throws ServletException, IOException {
+	public void doFilterWhenTokenRequestMultipleScopeThenInvalidRequestError() throws Exception {
-		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
-		doFilterForClientCredentialsGrant(registeredClient, null);
+		Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
 
-		ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
+		SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
-		verify(this.authenticationManager).authenticate(captor.capture());
+		securityContext.setAuthentication(clientPrincipal);
+		SecurityContextHolder.setContext(securityContext);
 
-		assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
+		MockHttpServletRequest request = createClientCredentialsTokenRequest(registeredClient);
-		OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
+		request.addParameter(OAuth2ParameterNames.SCOPE, "profile");
 
-		assertThat(clientAuthenticationToken.getPrincipal()).isEqualTo(new OAuth2ClientAuthenticationToken(registeredClient));
+		doFilterWhenTokenRequestInvalidParameterThenError(
+				OAuth2ParameterNames.SCOPE, OAuth2ErrorCodes.INVALID_REQUEST, request);
 	}
 
 	@Test
-	public void doFilterWhenGrantTypeIsClientCredentialsWithScopeThenIncludeScopeInResponse() throws ServletException, IOException {
+	public void doFilterWhenClientCredentialsTokenRequestValidThenAccessTokenResponse() throws Exception {
-		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
-		doFilterForClientCredentialsGrant(registeredClient, "openid email");
-
-		ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
-		verify(this.authenticationManager).authenticate(captor.capture());
-
-		assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
-		OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
-
-		HashSet<String> expectedScopes = new HashSet<>();
-		expectedScopes.add("openid");
-		expectedScopes.add("email");
-
-		assertThat(clientAuthenticationToken.getScopes()).isEqualTo(expectedScopes);
-	}
-
-	private void doFilterForClientCredentialsGrant(RegisteredClient registeredClient, String scope) throws ServletException, IOException {
 		Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(
 				OAuth2AccessToken.TokenType.BEARER, "token",
@@ -282,35 +284,46 @@ public class OAuth2TokenEndpointFilterTests {
 		OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
 				new OAuth2AccessTokenAuthenticationToken(
 						registeredClient, clientPrincipal, accessToken);
-		final String clientId = registeredClient.getClientId();
-		final String clientSecret = registeredClient.getClientSecret();
-
-		MockHttpServletRequest request = new MockHttpServletRequest("POST", OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
-		request.setServletPath(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
-		request.addParameter("client_id", clientId);
-		request.addParameter("client_secret", clientSecret);
-		request.addParameter("grant_type", AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
-		if (scope != null) {
-			request.addParameter("scope", scope);
-		}
 
 		when(this.authenticationManager.authenticate(any())).thenReturn(accessTokenAuthentication);
 
-		SecurityContext context = SecurityContextHolder.createEmptyContext();
+		SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
-		context.setAuthentication(new OAuth2ClientAuthenticationToken(registeredClient));
+		securityContext.setAuthentication(clientPrincipal);
-		SecurityContextHolder.setContext(context);
+		SecurityContextHolder.setContext(securityContext);
 
+		MockHttpServletRequest request = createClientCredentialsTokenRequest(registeredClient);
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		filter.doFilter(request, response, mock(FilterChain.class));
+		FilterChain filterChain = mock(FilterChain.class);
+
+		this.filter.doFilter(request, response, filterChain);
+
+		verifyNoInteractions(filterChain);
+
+		ArgumentCaptor<OAuth2ClientCredentialsAuthenticationToken> clientCredentialsAuthenticationCaptor =
+				ArgumentCaptor.forClass(OAuth2ClientCredentialsAuthenticationToken.class);
+		verify(this.authenticationManager).authenticate(clientCredentialsAuthenticationCaptor.capture());
+
+		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
+				clientCredentialsAuthenticationCaptor.getValue();
+		assertThat(clientCredentialsAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
+		assertThat(clientCredentialsAuthentication.getScopes()).isEqualTo(registeredClient.getScopes());
+
+		assertThat(response.getStatus()).isEqualTo(HttpStatus.OK.value());
+		OAuth2AccessTokenResponse accessTokenResponse = readAccessTokenResponse(response);
+
+		OAuth2AccessToken accessTokenResult = accessTokenResponse.getAccessToken();
+		assertThat(accessTokenResult.getTokenType()).isEqualTo(accessToken.getTokenType());
+		assertThat(accessTokenResult.getTokenValue()).isEqualTo(accessToken.getTokenValue());
+		assertThat(accessTokenResult.getIssuedAt()).isBetween(
+				accessToken.getIssuedAt().minusSeconds(1), accessToken.getIssuedAt().plusSeconds(1));
+		assertThat(accessTokenResult.getExpiresAt()).isBetween(
+				accessToken.getExpiresAt().minusSeconds(1), accessToken.getExpiresAt().plusSeconds(1));
+		assertThat(accessTokenResult.getScopes()).isEqualTo(accessToken.getScopes());
 	}
 
 	private void doFilterWhenTokenRequestInvalidParameterThenError(String parameterName, String errorCode,
-			Consumer<MockHttpServletRequest> requestConsumer) throws Exception {
+			MockHttpServletRequest request) throws Exception {
 
-		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
-
-		MockHttpServletRequest request = createTokenRequest(registeredClient);
-		requestConsumer.accept(request);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 
@@ -336,7 +349,7 @@ public class OAuth2TokenEndpointFilterTests {
 		return this.accessTokenHttpResponseConverter.read(OAuth2AccessTokenResponse.class, httpResponse);
 	}
 
-	private static MockHttpServletRequest createTokenRequest(RegisteredClient registeredClient) {
+	private static MockHttpServletRequest createAuthorizationCodeTokenRequest(RegisteredClient registeredClient) {
 		String[] redirectUris = registeredClient.getRedirectUris().toArray(new String[0]);
 
 		String requestUri = OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI;
@@ -349,4 +362,16 @@ public class OAuth2TokenEndpointFilterTests {
 
 		return request;
 	}
+
+	private static MockHttpServletRequest createClientCredentialsTokenRequest(RegisteredClient registeredClient) {
+		String requestUri = OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI;
+		MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
+		request.setServletPath(requestUri);
+
+		request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
+		request.addParameter(OAuth2ParameterNames.SCOPE,
+				StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " "));
+
+		return request;
+	}
 }