Describe the bug
In Spring Security WebFlux, OAuth2LoginSpec#getLinks populates the returned map with authorization links for all registered client registrations, even for those using the "client_credentials" grant type meant for server-to-server authentication. This has the following consequences:
This means that if you have two client registration A with grant type authorization_code and another registration B with client_credentials, the authorization entry point created by Spring Security WebFlux redirects to the default login page (/login) rather than directly to the authorization flow of A (/oauth2/authorization/A). Even worse, that login page will show an authorization link for registration B even though it is not possible for a user to log in through the client_credentials OAuth2 flow. In fact, following this link yields a 500 error as DefaultServerOAuth2AuthorizationRequestResolver (sensibly) does not support client_credentials.
To Reproduce
- Create a Spring Boot application with WebFlux and Spring Security
- Define two client registrations within
spring.security.oauth2.client.registrationinapplication.yml:awithauthorization-grant-type: authorization_codebwithauthorization-grant-type: client_credentials
- Configure a
ServerHttpSecuritybean protecting some path withoauth2Login() - Start the application
- Navigate to the protected path
Expected behavior
I get redirected to /oauth2/authorization/a and then to the OAuth2 provider's login page.
Comment From: jgrandja
Thanks for the report @denisw.
The one thing to keep in mind is that the default login page is meant to be used for development / testing only. Production applications will supply their own custom login page.
Having said that, I agree that only authorization_code configured ClientRegistration's should be displayed only.
Would you be interested in submitting a PR for this fix?
Comment From: denisw
Thank you for the reply, @jgrandja! I'll have a go at creating a pull request. 🙂