EDR token refresh implementation is inconsistent and deviates from the documentation

[Sebastian-Wurm]

Describe the bug

On API consumer side, the method TokenRefreshHandlerImpl.createTokenRefreshRequest() adds the "Content-Type" header "application/x-www-form-urlencoded" to the token refresh request, but adds the parameters "grant_type" and "refresh_token" as query parameters of the URL rather than as urlencoded body.

On API provider side, the method TokenRefreshApiController.refreshToken() also adds the parameters as query parameters.

The corresponding documention correctly adds these parameters as urlencoded body in the HTTP request.

To Reproduce

Adding the "Content-Type" header "application/x-www-form-urlencoded", which describes the format of the HTTP body, and providing a zero-length HTTP body is inconsistent. The implementation also deviates from the documentation. Additionally, this leads to an incompatibility between EDC 0.7.2 and 0.7.3 when refreshing the EDR token, which is why we found this issue.

Expected behavior

Either send/receive the parameters as urlencoded body or remove the "Content-Type" header "application/x-www-form-urlencoded" and adapt the documentation. As tokens tend to be long and different environments may have different restrictions regarding URL length, it's probably the better idea to urlencode the parameters in the body as defined in the documentation.

Screenshots/Error Messages

N/A

Context Information

• Used version: EDC 0.7.2 and 0.7.3 (but seems still to be on main, too)

Please be aware, that fixing this according to either of the proposals mentioned as expected behavior again breaks the EDR token refresh. So, best is to keep this as a known issue until the first major release of Tractus-X EDC.

Possible Implementation

Use URLEncoder.