Issue with RemoteTokenServices decoding the /oauth/check_token result

[calebkiage]

I've set up an authorization server and a resource server to use the remote token services on spring boot.
The authorization server returns the xml below from the /oauth/check_token endpoint:

<Map>
    <aud>resource_1</aud>
    <aud>resource_2</aud>
    <exp>1487025250</exp>
    <user_name>[email protected]</user_name>
    <authorities>ROLE_ADMIN</authorities>
    <authorities>ROLE_USER</authorities>
    <client_id>client_1</client_id>
    <scope>read</scope>
    <scope>write</scope>
</Map>

The issue is that the decoded authentication doesn't decode the authorities and scopes correctly. It seems to convert the list to a string by taking the last item so the authentication only has the ROLE_USER authority and the write scope.

[calebkiage]

Okay, so I fixed this by removing com.fasterxml.jackson.dataformat:jackson-dataformat-xml from the build file. Does this mean that xml serialization isn't supported?

[calebkiage]

I think this is related to FasterXML/jackson-dataformat-xml#11 which will not be fixed. Maybe the documentation could warn users about this?

[arakelian]

@calebkiage See FasterXML/jackson-dataformat-xml#205 and use the Gist provided in the comments to work around this issue.