From 72d7fb195e1c57a44deb07b8ef8229a8813294d3 Mon Sep 17 00:00:00 2001
From: MrJovanovic13 <34819606+MrJovanovic13@users.noreply.github.com>
Date: Tue, 23 Jul 2024 00:45:03 +0200
Subject: [PATCH] Fix json deserialization of multi-valued authorization
 request parameters

Closes gh-1666
---
 ...uth2AuthorizationServerJackson2Module.java |  5 ++-
 .../jackson2/StringArrayMixin.java            | 35 +++++++++++++++++++
 ...uthorizationServerJackson2ModuleTests.java | 13 ++++++-
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java

diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java
index e9a58b12..cba02543 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@ import org.springframework.security.oauth2.server.authorization.settings.OAuth2T
  * <li>{@link DurationMixin}</li>
  * <li>{@link JwsAlgorithmMixin}</li>
  * <li>{@link OAuth2TokenFormatMixin}</li>
+ * <li>{@link StringArrayMixin}</li>
  * </ul>
  *
  * If not already enabled, default typing will be automatically enabled as type info is
@@ -63,6 +64,7 @@ import org.springframework.security.oauth2.server.authorization.settings.OAuth2T
  * @see DurationMixin
  * @see JwsAlgorithmMixin
  * @see OAuth2TokenFormatMixin
+ * @see StringArrayMixin
  */
 public class OAuth2AuthorizationServerJackson2Module extends SimpleModule {
 
@@ -82,6 +84,7 @@ public class OAuth2AuthorizationServerJackson2Module extends SimpleModule {
 		context.setMixInAnnotations(SignatureAlgorithm.class, JwsAlgorithmMixin.class);
 		context.setMixInAnnotations(MacAlgorithm.class, JwsAlgorithmMixin.class);
 		context.setMixInAnnotations(OAuth2TokenFormat.class, OAuth2TokenFormatMixin.class);
+		context.setMixInAnnotations(String[].class, StringArrayMixin.class);
 	}
 
 }
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java
new file mode 100644
index 00000000..48bc7980
--- /dev/null
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2020-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.jackson2;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+/**
+ * This mixin class is used to serialize/deserialize {@link String} array.
+ *
+ * @author Nikola Jovanovic
+ * @since 1.2.6
+ * @see String
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+abstract class StringArrayMixin {
+
+	@JsonCreator
+	StringArrayMixin(String[] array) {
+	}
+
+}
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java
index c5df9e6d..34580d17 100644
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,9 @@ public class OAuth2AuthorizationServerJackson2ModuleTests {
 	private static final TypeReference<Set<String>> STRING_SET = new TypeReference<Set<String>>() {
 	};
 
+	private static final TypeReference<String[]> STRING_ARRAY = new TypeReference<String[]>() {
+	};
+
 	private ObjectMapper objectMapper;
 
 	@BeforeEach
@@ -73,4 +76,12 @@ public class OAuth2AuthorizationServerJackson2ModuleTests {
 		assertThat(this.objectMapper.readValue(json, STRING_SET)).isEqualTo(set);
 	}
 
+	// gh-1666
+	@Test
+	public void readValueWhenStringArrayThenSuccess() throws Exception {
+		String[] array = new String[] { "one", "two" };
+		String json = this.objectMapper.writeValueAsString(array);
+		assertThat(this.objectMapper.readValue(json, STRING_ARRAY)).isEqualTo(array);
+	}
+
 }