From c5abcd1fcd5fc6ce73afbacbf9d29652e29955a8 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Tue, 17 Oct 2017 20:24:43 -0500
Subject: [PATCH] DefaultAuthorizationRequestUriBuilder uses StringUtils

Fixes gh-4642
---
 ...DefaultAuthorizationRequestUriBuilder.java |  7 +--
 ...ltAuthorizationRequestUriBuilderTests.java | 51 +++++++++++++++++++
 2 files changed, 55 insertions(+), 3 deletions(-)
 create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilderTests.java

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
index 6234509317..03d8abc52d 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
@@ -17,10 +17,11 @@ package org.springframework.security.oauth2.client.web;
 
 import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
+import org.springframework.util.StringUtils;
 import org.springframework.web.util.UriComponentsBuilder;
 
 import java.net.URI;
-import java.util.stream.Collectors;
+import java.util.Set;
 
 /**
  * The default implementation of an {@link AuthorizationRequestUriBuilder},
@@ -36,12 +37,12 @@ public class DefaultAuthorizationRequestUriBuilder implements AuthorizationReque
 
 	@Override
 	public URI build(AuthorizationRequest authorizationRequest) {
+		Set<String> scopes = authorizationRequest.getScope();
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder
 			.fromUriString(authorizationRequest.getAuthorizationUri())
 			.queryParam(OAuth2Parameter.RESPONSE_TYPE, authorizationRequest.getResponseType().getValue())
 			.queryParam(OAuth2Parameter.CLIENT_ID, authorizationRequest.getClientId())
-			.queryParam(OAuth2Parameter.SCOPE,
-				authorizationRequest.getScope().stream().collect(Collectors.joining(" ")))
+			.queryParam(OAuth2Parameter.SCOPE, StringUtils.collectionToDelimitedString(scopes, " "))
 			.queryParam(OAuth2Parameter.STATE, authorizationRequest.getState());
 		if (authorizationRequest.getRedirectUri() != null) {
 			uriBuilder.queryParam(OAuth2Parameter.REDIRECT_URI, authorizationRequest.getRedirectUri());
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilderTests.java
new file mode 100644
index 0000000000..1b4501624a
--- /dev/null
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilderTests.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.web;
+
+import org.junit.Test;
+import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
+
+import java.net.URI;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class DefaultAuthorizationRequestUriBuilderTests {
+	private DefaultAuthorizationRequestUriBuilder builder = new DefaultAuthorizationRequestUriBuilder();
+
+	@Test
+	public void buildWhenScopeMultiThenSeparatedByEncodedSpace() {
+		AuthorizationRequest request = AuthorizationRequest.implicit()
+			.additionalParameters(Collections.singletonMap("foo","bar"))
+			.authorizationUri("https://idp.example.com/oauth2/v2/auth")
+			.clientId("client-id")
+			.state("thestate")
+			.redirectUri("https://client.example.com/login/oauth2")
+			.scope(new HashSet<>(Arrays.asList("openid", "user")))
+			.build();
+
+		URI result = this.builder.build(request);
+
+		assertThat(result.toASCIIString()).isEqualTo("https://idp.example.com/oauth2/v2/auth?response_type=token&client_id=client-id&scope=openid%20user&state=thestate&redirect_uri=https://client.example.com/login/oauth2");
+	}
+}