Spring Security Is CODE URL parameter really required to be returned from Auth Server

We have a single sign on auth server that's not returning or echoing the code= parameter on the redirect url.

Describe the bug An exception is being thrown due to not having both code= and state= URL parameters https://github.com/spring-projects/spring-security/blob/fa77f4c8ff4f796f6cadc5fd9aa385e9707135fc/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationResponseUtils.java#L55

My understanding is that code= being echoed on the redirect is optional, and not required. Should code= URL parameter be allowed to be optional on the redirect URL?

Comment From: jzheaux

Hi, @hectoralicea, thanks for the report.

When I read the OAuth 2.0 RFC, I see that both code and state are required for the authorization_code grant flow:

code REQUIRED. The authorization code generated by the authorization server. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code

state REQUIRED if the "state" parameter was present in the client authorization request. The exact value received from the client.

It sounds like this might be more of a question than a bug report, so if the above doesn't address things, I'd recommend opening up a StackOverflow question. Feel free to update the ticket with the StackOverflow link.