From 3379a36e64c13e4118c7e179f3a874a64de5f5a2 Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@vmware.com>
Date: Fri, 11 Mar 2022 04:42:00 -0500
Subject: [PATCH] Reset state for client authorization request

---
 .../client/DefaultOAuth2ClientContext.java    |  5 +++--
 .../DefaultOAuth2ClientContextTests.java      | 21 +++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java

diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
index a4ab6e0a2..18b737279 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
@@ -1,8 +1,8 @@
 package org.springframework.security.oauth2.client;
 
 import java.io.Serializable;
-import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.security.oauth2.client.token.AccessTokenRequest;
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
@@ -25,7 +25,7 @@ public class DefaultOAuth2ClientContext implements OAuth2ClientContext, Serializ
 
 	private AccessTokenRequest accessTokenRequest;
 
-	private Map<String, Object> state = new HashMap<String, Object>();
+	private Map<String, Object> state = new ConcurrentHashMap<String, Object>();
 
 	public DefaultOAuth2ClientContext() {
 		this(new DefaultAccessTokenRequest());
@@ -54,6 +54,7 @@ public AccessTokenRequest getAccessTokenRequest() {
 	}
 
 	public void setPreservedState(String stateKey, Object preservedState) {
+		state.clear();
 		state.put(stateKey, preservedState);
 	}
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java
new file mode 100644
index 000000000..9cfbfc2c6
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java
@@ -0,0 +1,21 @@
+package org.springframework.security.oauth2.client;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+public class DefaultOAuth2ClientContextTests {
+
+    @Test
+    public void resetsState() {
+        DefaultOAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
+        clientContext.setPreservedState("state1", "some-state-1");
+        clientContext.setPreservedState("state2", "some-state-2");
+        clientContext.setPreservedState("state3", "some-state-3");
+        assertNull(clientContext.removePreservedState("state1"));
+        assertNull(clientContext.removePreservedState("state2"));
+        assertEquals("some-state-3", clientContext.removePreservedState("state3"));
+    }
+
+}
\ No newline at end of file