Skip to content

OIDC token-request client-secret %3D instead of = for padding #17629

New issue
New issue
Open
Open
OIDC token-request client-secret %3D instead of = for padding#17629
Labels
status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug
@SebastianDietrich

Description

@SebastianDietrich
SebastianDietrich
opened on Jul 25, 2025

When sending an OIDC token-request including client-secret (and client-id), the configured client-secret is changed: Any ending = is converted to %3D

To Reproduce
authenticate against an OIDC provider that requires
spring.security.oauth2.client.registration.<provider>.client-authentication-method=client_secret_post
with a client-secret that ends with padding character =

That will result in a token-request where the padding character is replaced by unicode %3D

Expected behavior
padding character for client-id should not be converted to unicode

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: waiting-for-triageAn issue we've not yet triagedtype: bugA general bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions