Closed
Description
When DefaultOAuth2AuthorizationRequestResolver creates an OAuth2AuthorizationRequest it saves the clientRegistration.getRegistrationId() as follows:
Map<String, Object> additionalParameters = new HashMap<>();
additionalParameters.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());Then OAuth2LoginAuthenticationFilter retrieves the registrationId via OAuth2AuthorizationRequest.additionalParameters() in order to lookup the ClientRegistration using ClientRegistrationRepository during Authorization Response processing.
We should avoid storing the registrationId in OAuth2AuthorizationRequest.additionalParameters() as this may cause issues when a user configures their own OAuth2AuthorizationRequestResolver and overrides additionalParameters with their custom request parameters and does not include the registrationId.