Spring Security Spring OAuth2 sometimes redirects to (undocumented) {baseUrl}/authorize/oauth2/code/{registrationId}

Expected Behavior

According to the spring security docs [1][2][3][4], the default Authorization Response baseUri (redirection endpoint) is /login/oauth2/code/*. So I have added this value as valid redirection url in our authorization server (keycloak):

/login/oauth2/code/*

I expect all calls from spring to redirect to this url.

Current Behavior

Assuming registrationId is 'myclient', I am seeing redirect calls to:

/authorize/oauth2/code/myclient

This is an invalid redirect url according to our authorization server (keycloak), so it blocks the request.

Context Sometimes, usually when a token has expired and the Spring OAuth client has to re-authorize its token, Spring throws an ClientAuthorizationRequiredException, which is handled in OAuth2AuthorizationRequestRedirectFilter. At this place, a redirect url using action = "authorize" is resolved. The redirect url passed to the authorization server then becomes:

{baseUrl}/authorize/oauth2/code/myclient

Workaround: It is possible to override the redirection url per client use the property value of redirect-uri, but I have not done so, because why should I? The default value stated in the docs is fine. If not specified, the default value of the redirect-uri is set to:

{baseUrl}/{action}/oauth2/code/{registrationId}

where action can be login or authorize.

Assuming registrationId is 'myclient', this causes spring to send as redirectUrl to keycloak: /login/oauth2/code/myclient -> ok /authorize/oauth2/code/myclient -> keycloak: invalid redirect_url

I am trying to understand why Spring is redirecting to {baseUrl}/authorize/oauth2/code/myclient instead of {baseUrl}/login/oauth2/code/myclient. As far as I can see, there is nothing in Spring defined to handle this request (OAuth2LoginAuthenticationFilter only listens to DEFAULT_FILTER_PROCESSES_URI, which points to /login/oauth2/code/*). If I add the exception HttpSecurity.antMatchers("/authorize/**").permitAll(), then the call passes authentication and returns a 404 as there is no endpoint.

I am unsure this is an enhancement or a bug, at most it is a question. I am trying to find the reasoning for this {action} field, as I do not want to add unexplained redirectUrls to my authorization server clients.

Comment From: jgrandja

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it).

/login/oauth2/code/* is used by the oauth2Login() feature to perform login for a user. This feature uses OpenID Connect 1.0 or OAuth 2.0 Authorization Code for providers that don't support OpenID Connect 1.0 (e.g. GitHub).

/authorize/oauth2/code/* is used by the oauth2Client() feature, specifically to initiate the Authorization Request for the standard OAuth 2.0 Authorization Code flow.

It appears you are using myclient in both flows. If your intention is to use myclient for the standard OAuth 2.0 Authorization Code flow then you need to register /authorize/oauth2/code/myclient as a redirect_uri with Keycloak.

However, a typical configuration would be to configure a dedicated ClientRegistration for oauth2Login() and one or more ClientRegistration's for OAuth 2.0 Authorization Code flows (if needed).