JWT Bearer Auth Form Parameters Accumulate with Each Request in OidcClientImpl #48879
Description
Describe the bug
The OidcClientImpl.postRequest method reuses the same MultiMap instance (body) across multiple requests when performing JWT bearer authentication. This causes the form parameters client_assertion and client_assertion_type to accumulate with each request instead of being replaced.
When using JWT bearer authentication, the code adds values to the formBody MultiMap using add():
body.add(OidcConstants.CLIENT_ASSERTION, clientAssertion);
body.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);Unlike the set() method (which replaces existing values), add() creates duplicate entries for the same key. Since the same MultiMap instance is reused across requests, this results in the form body containing multiple copies of these parameters.
Expected behavior
The parameters client_assertion and client_assertion_type contain only the newest values and are not added multiple times to the request.
Actual behavior
- The HTTP POST request body grows with each request
- Form data contains duplicate parameters, causing issues with OIDC servers
How to Reproduce?
- Configure Quarkus OIDC client with JWT bearer authentication OpenID Connect (OIDC) and OAuth2 client and filters: JWT Bearer
- Make multiple sequential token requests using the same
OidcClientinstance, especially after the token has expired - Observe that the form parameters in the POST request body contain duplicate
client_assertionandclient_assertion_typeentries
Output of uname -a or ver
No response
Output of java -version
21
Quarkus version or git rev
3.24.3
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
No response