Using APPROVAL_STORE, authorization endpoint will always redirect improperly

[bluesliverx]

(Migrated from bluesliverx/grails-spring-security-oauth2-provider#124 reported by @xstdio)

To start off I am using the following:

Grails:2.4.5
spring-security-core:2.0-RC5
spring-security-rest:1.5.2
spring-security-oauth2-provider:2.0-RC5

I noticed that when the plugin is configured to use APPROVAL_STORE, the authorization code grant flow will always redirect with http://localhost:5555/sample-oauth2-app?error=access_denied&error_description=User%20denied%20access. Even though, a record will be created in the Approval table. In addition, subsequent call will return success with the authorization code.

I managed to trace (to what I believe is the cause) to the method updateAfterApproval in org.springframework.security.oauth2.provider.approval.ApprovalStoreUserApprovalHandler

public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest,Authentication userAuthentication) {
    // code snippet start ... 
    String approvalParameter = scopePrefix + requestedScope;
    String value = approvalParameters.get(approvalParameter);
    // ... code snippet end
}

In the logs, I had printed out value which is null, even though the user_oauth_approval is true. In this case, I wonder if the plugin is sending approvalParameters that is acceptable by org.springframework.security.oauth2.provider.approval.ApprovalStoreUserApprovalHandler

Logs

19 Aug 2016 13:51:11,380 DEBUG ApprovalStoreUserApprovalHandler:128 - |updateAfterApproval|BEG|
19 Aug 2016 13:51:11,381 DEBUG ApprovalStoreUserApprovalHandler:128 - |updateAfterApproval|approvalParameters|{authorize=, user_oauth_approval=true, scope=read, response_type=code, client_id=my-client}
19 Aug 2016 13:51:11,382 DEBUG ApprovalStoreUserApprovalHandler:128 - |updateAfterApproval|approvalParameter|scope.read
19 Aug 2016 13:51:11,382 DEBUG ApprovalStoreUserApprovalHandler:128 - |updateAfterApproval|value|null
19 Aug 2016 13:51:11,384 DEBUG ApprovalStoreUserApprovalHandler:128 - |updateAfterApproval|ApprovalStatus.DENIED|
|addApprovals|gormApproval NOT exist|
|isApproved|true
19 Aug 2016 13:51:11,546 DEBUG ApprovalStoreUserApprovalHandler:128 - |isApproved|

Log for subsequent call

|createAuthorizationRequest|org.springframework.security.oauth2.provider.AuthorizationRequest@b83b276c
19 Aug 2016 13:53:53,316 DEBUG ApprovalStoreUserApprovalHandler:128 - Looking up user approved authorizations for client_id=my-client and [email protected]
19 Aug 2016 13:53:53,325 DEBUG ApprovalStoreUserApprovalHandler:128 - Valid user approved/denied scopes are [read]
19 Aug 2016 13:53:53,326 DEBUG ApprovalStoreUserApprovalHandler:128 - |isApproved|

In config.groovy

// Added by the Spring Security OAuth2 Provider plugin:
grails.plugin.springsecurity.oauthProvider.clientLookup.className = 'com.sample.test.oauth.Client'
grails.plugin.springsecurity.oauthProvider.authorizationCodeLookup.className = 'com.sample.test.oauth.AuthorizationCode'
grails.plugin.springsecurity.oauthProvider.accessTokenLookup.className = 'com.sample.test.oauth.AccessToken'
grails.plugin.springsecurity.oauthProvider.refreshTokenLookup.className = 'com.sample.test.oauth.RefreshToken'

grails.plugin.springsecurity.oauthProvider.approvalLookup.className = 'com.sample.test.oauth.Approval'
grails.plugin.springsecurity.oauthProvider.approval.auto = 'APPROVAL_STORE'

grails.plugin.springsecurity.filterChain.chainMap = [
    '/oauth/token': 'JOINED_FILTERS,-oauth2ProviderFilter,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-exceptionTranslationFilter',
    '/securedOAuth2Resources/**': 'JOINED_FILTERS,-securityContextPersistenceFilter,-logoutFilter,-authenticationProcessingFilter,-rememberMeAuthenticationFilter,-oauth2BasicAuthenticationFilter,-exceptionTranslationFilter',
    '/**': 'JOINED_FILTERS,-statelessSecurityContextPersistenceFilter,-oauth2ProviderFilter,-clientCredentialsTokenEndpointFilter,-oauth2BasicAuthenticationFilter,-oauth2ExceptionTranslationFilter',
]