OAuth2PushedAuthorizationRequestUri generates URIs which cannot be parsed due to ___ in the state part

[christopherm-backbase]

Describe the bug
spring-security-oauth2-authorization-server 1.5.2 and 1.5.7

A percentage of PAR (Pushed Authorization Request) requests fail randomly.
OAuth2PushedAuthorizationRequestUri generates URIs in this format:

urn:ietf:params:oauth:request_uri:<Base64URL_state>___<epoch_millis>  
Generator: Base64StringKeyGenerator(Base64.getUrlEncoder())  
- Base64URL alphabet: A-Z, a-z, 0-9, -, _ (64 characters)  
- Character '_' (underscore) IS in the output!  
- Delimiter '___' (triple underscore) also uses '_'  
=> CONFLICT!  

the parse method contains the bug:

urn:ietf:params:oauth:request_uri:xXMGJTZwzXIFL8i_DFu_EM8IeWC___frCWjpiF2q-xs=___1781670640281  
^^^ ^^^  
indexOf() matches triple underscore delimiter  
Result:  
- substring = "frCWjpiF2q-xs=___1781670640281"  
- Long.parseLong(...) → NumberFormatException!  
- catch(Exception) → throwError("invalid_request", "request_uri")  
- User receives error, authentication FAILS  

To Reproduce
Failure probability is 1/6,554, the sample project demonstrates this with a unit test.

Expected behavior
All created URIs can be parsed.

Either the state generation is changed or the parse method accepts URIs with ___ in the state part.

A suggested fix is to change the parse method to replace indexOf with lastIndexOf when looking for the delimiter position.

Sample

https://github.com/christopherm-backbase/spring-auth-server-par-request-uri-repro