Fix parameter duplication in JWT Bearer grant requests causing AADSTS70003 errors #47666
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* checkout from speech-transcription folder * update after renaming * refactoring * Updated dependency versions * fix spell check * Add spell check dictionary entries and version configuration * test cusomization * renamed setmodels to clarify * map from int to duration * add ci and pom.xml and retest customization * fix enable field * fix enable field * move AudioFileDetails into TranscriptionOptions and add 2 constructor overloads * update test * change constructor to transcribe(TranscriptionOptions options) * update test * fix linting * add codeowner * add codeowner * add release date * update changelog * add response * update sample, readme, tests * update tsp files * update version_client * regenerate sdk from typespec * adding javadoc for customized function * update samples * fix cspell * fix cspell * fix codeownerlint * fix cspell * fix codeowner lint * update tests * update broken links * checkout cspell * update readme and modify enabled property for EnhancedModeOptions * modify enhanceed mode customization * modify enhanceed mode customization and update readme * created a new service directory to put all the transcription SDK's under * update tsp commit * fetch previous recording * redo recording test * undo changes to pom.xml in previous package service
* prepare release * changelog.md
…nalinsights/resource-manager/Microsoft.OperationalInsights/OperationalInsights/readme.md#package-2025-07-01 (#47589) * [Automation] External Change * [Automation] Generate Fluent Lite from Swagger specification/operationalinsights/resource-manager/Microsoft.OperationalInsights/OperationalInsights/readme.md#package-2025-07-01 * use 2.0.0 --------- Co-authored-by: Xiaofei Cao (from Dev Box) <[email protected]>
Co-authored-by: Ben Broderick Phillips <[email protected]>
…25.0.1 (#47608) * Upgrade external dependencies to align with Spring Boot 3.5.9 * Add a new word in .vscode/cspell.json: xmlparserv * fix IT --------- Co-authored-by: github-actions <[email protected]> Co-authored-by: Rujun Chen <[email protected]>
….yaml', API Version: 2025-03-21, SDK Release Type: stable, and CommitSHA: 'be36de931322b23890d3353e06bcc6ad34212877' in SpecRepo: 'https://github.com/Azure/azure-rest-api-specs' Pipeline run: https://dev.azure.com/azure-sdk/internal/_build/results?buildId=5707780 Refer to https://eng.ms/docs/products/azure-developer-experience/develop/sdk-release/sdk-release-prerequisites to prepare for SDK release. (#47609) Co-authored-by: KajalSethi <[email protected]>
…nalinsights/resource-manager/Microsoft.OperationalInsights/OperationalInsights/readme.md#package-2025-07-01 (#47617)
* Fix unsafe deserialization * add changelog * revert changes * revert changes * change Allowed Classes to not be hard coded strings * fix tests and filter on byte array as well * fix indentation * react to comments
…n - Java-5709943 (#47613) * Configurations: 'specification/healthbot/HealthBot.Management/tspconfig.yaml', API Version: 2025-11-01, SDK Release Type: stable, and CommitSHA: '16c5a93d4e3e6d4cec95c969991fd65cb3458327' in SpecRepo: 'https://github.com/Azure/azure-rest-api-specs' Pipeline run: https://dev.azure.com/azure-sdk/internal/_build/results?buildId=5709943 Refer to https://eng.ms/docs/products/azure-developer-experience/develop/sdk-release/sdk-release-prerequisites to prepare for SDK release. * Update pom.xml * Configurations: 'specification/healthbot/HealthBot.Management/tspconfig.yaml', API Version: 2025-11-01, SDK Release Type: stable, and CommitSHA: '53d56e4ec74156c450d1e51745a971d3f2031dd7' in SpecRepo: 'https://github.com/Azure/azure-rest-api-specs' Pipeline run: https://dev.azure.com/azure-sdk/internal/_build/results?buildId=5717194 Refer to https://eng.ms/docs/products/azure-developer-experience/develop/sdk-release/sdk-release-prerequisites to prepare for SDK release. * Update pom.xml --------- Co-authored-by: Weidong Xu <[email protected]>
Co-authored-by: Connie Yau <[email protected]>
* feat(redis): add support to disable local authentication - Implemented `localAuthDisabled()` method to check if local auth is disabled - Added `disableLocalAuth()` method to disable SAS authentication - Updated Redis cache definition and update stages to include local auth settings - Modified tests to verify local auth disable functionality - Extended Redis cache models to support local authentication configuration - Integrated local auth settings into Redis cache creation and update flows * test(redis): remove disableLocalAuth calls in tests - Removed disableLocalAuth() from Redis cache update operations - Commented out Redis configuration backup settings and assertions - Simplified test cases by removing redundant local auth disabling - Updated public network access test to match new behavior - Maintained core Redis cache functionality verification * fix(redis): correct disableLocalAuth implementation for create and update modes - Updated disableLocalAuth to properly set authentication flag during create mode - Updated disableLocalAuth to properly set authentication flag during update mode - Removed redundant disableLocalAuth call in test updates - Added assertions to verify local auth disabled state after creation - Enabled AAD configuration in multiple test scenarios for comprehensive coverage * fix(redis): remove non-SSL port configuration from tests - Removed deprecated `withNonSslPort()` method calls in Redis cache setup - Updated test configurations to align with current SSL-only requirements - Ensured firewall rules and other configurations remain unchanged - Verified that all existing test cases pass without non-SSL port dependency * fix(redis): update Redis cache AOF backup configuration - Replace hardcoded connection string with storage account blob endpoint - Add managed identity authentication for data persistence - Disable secondary AOF storage connection string validation - Maintain AOF backup enabled configuration - Keep local auth disabled and AAD enabled settings * test(redis): update RedisCacheOperationsTests to use managed identity for RDB backup configuration * test(redis): simplify Redis configuration in RedisCacheOperationsTests * chore(redis): update assets tag for azure-resourcemanager-redis Update the assets tag from 87b73bc96e to 4829c91ebd in the assets.json file for the redis resource manager package. * ``` docs(redis): update Redis cache documentation to use correct terminology - change "Redis namespace" to "Redis cache" in interface documentation - update method descriptions to reference Redis cache instead of namespace - correct return type descriptions to use "Redis cache definition" terminology - maintain consistent documentation across both creation and update stages ``` * refactor(test): remove unused storage connection string code in Redis cache tests - Remove commented out storage connection string generation code - Remove unused connectionString variable declaration - Remove commented out Redis configuration lines for aof-storage-connection-string-0 and aof-storage-connection-string-1 - Remove commented out assertion for aofStorageConnectionString1 - Clean up redundant test code that was not being used * feat(redis): add enableLocalAuth method to Redis cache implementation - Implemented enableLocalAuth method in RedisCacheImpl to enable SAS authentication - Added disableAccessKeyAuthentication(false) setting for both create and update modes - Added enableLocalAuth default method to RedisCache interface with proper Javadoc - Updated test case with proper method chaining for Redis cache configuration - Maintained consistency with existing disableLocalAuth functionality * refactor(tests): remove unused AzureEnvironment import - Removed unused AzureEnvironment import from RedisCacheOperationsTests.java - Cleaned up import statements to remove redundant dependency * refactor(redis): rename localAuth to accessKeyAuthentication methods and interfaces - Renamed localAuthDisabled() to withAccessKeyAuthentication() in RedisCache interface - Renamed disableLocalAuth() to disableAccessKeyAuthentication() in WithAccessKeyAuthentication interface - Renamed enableLocalAuth() to enableAccessKeyAuthentication() in WithAccessKeyAuthentication interface - Updated WithCreate interface to extend WithAccessKeyAuthentication instead of WithLocalAuth - Updated Update interface to extend WithAccessKeyAuthentication instead of WithLocalAuth - Changed method calls in test class from disableLocalAuth() to disableAccessKeyAuthentication() - Updated assertion to check withAccessKeyAuthentication() instead of localAuthDisabled() * refactor(redis): rename withAccessKeyAuthentication to isAccessKeyAuthenticationEnabled - Renamed method from withAccessKeyAuthentication to isAccessKeyAuthenticationEnabled in RedisCacheImpl - Updated default method name in RedisCache interface - Changed method reference in test assertions to use new method name - Maintained same functionality while improving method naming consistency * style(redis): format code according to team style guide - Standardized indentation and spacing in method implementations - Organized interface declarations with proper line breaks - Removed redundant blank lines and whitespace - Applied consistent formatting to method chaining in test cases - Aligned code structure with established style patterns - Improved readability through standardized formatting practices * fix(redis): correct access key authentication logic - Fixed isAccessKeyAuthenticationEnabled method to return correct boolean value - Added negation to ResourceManagerUtils.toPrimitiveBoolean call - Updated test assertion to match corrected authentication logic - Removed unnecessary blank line in test file * test(redis): remove unused import statement in RedisCacheOperationsTests - Removed commented out importData test code - Cleaned up whitespace in test file * docs(redis): update access key authentication documentation - Clarify that authentication through access keys is disabled when set as true - Update return documentation to reflect access keys instead of local auth - Modify stage interface descriptions to reference access keys rather than local auth * Update sdk/redis/azure-resourcemanager-redis/src/main/java/com/azure/resourcemanager/redis/models/RedisCache.java Co-authored-by: Xiaofei Cao <[email protected]> * Apply suggestions from code review Co-authored-by: Xiaofei Cao <[email protected]> * Apply suggestions from code review Co-authored-by: Xiaofei Cao <[email protected]> * docs(redis): update Redis cache authentication documentation - Clarified that disabled authentication means access keys are disabled - Updated enable authentication description to specify access key authentication - Improved documentation clarity for Redis cache authentication methods * Apply suggestions from code review Co-authored-by: Xiaofei Cao <[email protected]> * ``` feat(redis): support disabling authentication through access keys - Added support for disabling authentication through access keys for RedisCache - Removed unused enableAccessKeyAuthentication method from RedisCache interface - Updated changelog to reflect the new RedisCache authentication feature ``` * Apply suggestion from @XiaofeiCao Co-authored-by: Xiaofei Cao <[email protected]> * feat(resourcemanager): update RedisCache access key authentication description - Changed the changelog entry to accurately reflect that both enabling and disabling authentication through access keys is supported for RedisCache --------- Co-authored-by: Xiaofei Cao <[email protected]>
Co-authored-by: Summer Warren <[email protected]>
* Pass CONNECT timeout setting to ProxyHandlers * Fix linting
* test(container): disable failing test due to policy restriction - Added @disabled annotation to testBeginCreateWithFileShareVolume - Included reason for disabling: internal policy denies local auth methods - Preserved existing @DoNotRecord annotation and skipInPlayback setting * feat(test): enable file share volume testing for container groups - Add storage account creation and key retrieval for file share testing - Integrate Azure file share volume configuration with existing storage credentials - Include ShareServiceClientBuilder for file endpoint management - Remove @disabled annotation to activate file share volume tests - Add storage manager initialization in test base class - Update container group volume definition to use existing Azure file share * fix(test): update ContainerGroupTest to clarify Azure Storage limitations with managed identity * test(containerinstance): add tests for container group volume configurations - Added testBeginCreateWithEmptyDirectoryVolume method - Disabled testBeginCreateWithFileShareVolume due to internal policy restrictions - Updated volume configuration logic to use withEmptyDirectoryVolume instead of manual volume definition - Added proper annotations for test recording and policy compliance - Implemented container group creation with virtual network and volume mounting - Added assertions for volume count validation * fix(containerinstance): update test comment and remove outdated reference Removed outdated comment about Azure Storage SMB mounting with managed identity and updated the test documentation to reflect current behavior. The test now properly references the Azure documentation for container instances volume mounting. * chore(containerinstance): update assets tag Update the assets tag from a0e5cc2e29 to bd0493a9b7 in azure-resourcemanager-containerinstance module * refactor(tests): remove unused storage manager from container instance tests - Removed storage account creation logic from ContainerGroupTest - Eliminated unused StorageManager dependency from ContainerInstanceManagementTest - Cleaned up related imports and fields that were no longer needed - Simplified test setup by removing unnecessary storage account initialization * chore(containerinstance): update assets tag Update the assets tag in assets.json from bd0493a9b7 to cade898991 for azure-resourcemanager-containerinstance package. * refactor(ContainerGroupTest): remove unused imports - Removed unused Azure identity imports (AzureAuthorityHosts, ClientSecretCredential, DefaultAzureCredentialBuilder) - Removed unused storage related imports (StorageAccount, StorageAccountKey, ShareServiceAsyncClient, ShareServiceClientBuilder) * Update sdk/containerinstance/azure-resourcemanager-containerinstance/src/test/java/com/azure/resourcemanager/containerinstance/ContainerGroupTest.java Co-authored-by: Copilot <[email protected]> * Update sdk/containerinstance/azure-resourcemanager-containerinstance/src/test/java/com/azure/resourcemanager/containerinstance/ContainerGroupTest.java Co-authored-by: Xiaofei Cao <[email protected]> --------- Co-authored-by: Copilot <[email protected]> Co-authored-by: Xiaofei Cao <[email protected]>
… library version (#47642) * Bumped Stainless library version * Removed URL mapper util * wrapping the actual exception, not just the cause
* Scala 2.13 skeleton * Update sdk/cosmos/ci.yml Co-authored-by: Copilot <[email protected]> * Update sdk/cosmos/azure-cosmos-spark_3/pom.xml Co-authored-by: Copilot <[email protected]> * Update sdk/cosmos/azure-cosmos-spark_3-5_2-13/CONTRIBUTING.md Co-authored-by: Copilot <[email protected]> * Update sdk/cosmos/azure-cosmos-spark_3-5_2-13/CONTRIBUTING.md Co-authored-by: Copilot <[email protected]> * Update pom.xml * md fixes * Fixing wrong versions * Update pom.xml * Fix versioning powershell script to exclude checks for versions specified via variables * Removing unused external dependencies * Update ci.yml * Update pom.xml * Fixing scala 2.13 incompatibilities * Update pom.xml * Fixing CI tests or spark 3.5 to use Java 17 * Update CHANGELOG.md * Fixing illegal access error when using Java 17 * Making --add-opens conditional on Java version * Update spark.yml * Fixing Spark live tests * Update databricks-jar-install.sh * Update TransientIOErrorsRetryingReadManyIterator.scala * Update CosmosItemIdentityHelper.scala * Update CosmosItemIdentityHelper.scala * Fixing scala 2.13 jsonNode serialization incompatibility * Update CosmosItemIdentityHelper.scala * Update CosmosItemIdentityHelper.scala * Fixing scala 2.13 regression * Fixing Scala 2.13 test failure * Fixing build break * Update SparkE2EChangeFeedITest.scala --------- Co-authored-by: Copilot <[email protected]>
* Attempt to resolve transcription failures during From Source * Add in workaround
Co-authored-by: Jiarui Guo <[email protected]>
Co-authored-by: Netyyyy <[email protected]>
Co-authored-by: Netyyyy <[email protected]>
Co-authored-by: Netyyyy <[email protected]>
Copilot
AI
changed the title
[WIP] Fix incorrect merging of parameters in token payload
Fix parameter duplication in JWT Bearer grant requests causing AADSTS70003 errors
Jan 9, 2026
Member
|
@copilot the base branch should be checkout from feature/springcloudazure-7.x |
Contributor
Author
I've rebased the PR onto
The fix addresses the same root issue where |
Copilot stopped work on behalf of
Netyyyy due to an error
January 9, 2026 02:05
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix on_behalf_of token payload issue in Spring Boot 4.x/Spring Framework 7.x
Problem
on_behalf_ofgrant type with Azure AD authentication in Spring Boot 4.x/Spring Framework 7.xMultiValueMap.addAll()which appends valuesgrant_typeto become[value, value]instead of[value]AADSTS70003: The app requested an unsupported grant type 'urn:ietf:params:oauth:grant-type:jwt-bearer,urn:ietf:params:oauth:grant-type:jwt-bearer'Solution
AadJwtBearerGrantRequestParametersConverterto flatten multi-valued parametersset()instead ofadd()Testing
noDuplicateGrantTypeParameterto verify fixTechnical Details
In Spring Boot 4.x / Spring Security 7.x, the architecture uses parameter converters instead of entity converters. When
RestClientJwtBearerTokenResponseClient.addParametersConverter()is called multiple times, Spring Security merges the results usingMultiValueMap.addAll(), causing duplicate values.Our fix ensures that even though the delegate converter sets parameters, we flatten them to single values before returning, preventing duplicates when the response client merges multiple converters.
Files Changed
AadJwtBearerGrantRequestParametersConverter.java- Added flattening logicAadJwtBearerGrantRequestParametersConverterTests.java- Added test for duplicate preventionCHANGELOG.md- Documented the bug fixAadJwtBearerGrantRequestEntityConverterTests.java(not used in Spring Boot 4.x)Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.