Spring Security OAuth2 Client unexpected redirect to Authorization Server after Code Grant Flow was successful

Summary

OAuth2 Client receives access_token, refresh_token, and oidc_id_token from the Authorization Server, which to me indicates successful completion of the Authorization Code Grant Flow. However, the OAuth2 Client then does an unexpected redirect back to the Authorization Server /oauth2/authorize which fails.

Note, I asked for assistance on Stack Exchange back two weeks ago (April 9, 2023) but received no responses, so retrying my question here. https://stackoverflow.com/questions/75972697/how-to-prevent-oauth2-client-from-doing-2nd-oauth2-authorize-redirect-to-oauth2

Note: Spring OAuth2 Client and Authorization Server are in a single Spring application, for testing and debugging purposes. I tried TRACE logs and debugging, but could not identify the root cause.

Actual Behavior

OAuth2 Client receives access_token, refresh_token, and oidc_id_token from the Authorization Server. OAuth2 Client then does an unexpected redirect back to the Authorization Server /oauth2/authorize which fails.

I can see the client received access_token, refresh_token, and oidc_id_token in TRACE logs.

Expected Behavior

When the client receives the access_token, refresh_token, and oidc_id_token, it should have redirected to https://127.0.0.1/. It should not redirect to https://127.0.0.1/oauth2/authorize.

Configuration

Links are copied from my Stack Exchange question: - SecurityFilterChain: https://github.com/justincranford/spring/blob/main/src/main/java/com/github/justincranford/spring/config/SecurityFilterChainConfig.java#L122-L181 - OAuth2 Client Config: https://github.com/justincranford/spring/blob/main/src/main/resources/application.properties#L223-L241 - OAuth2 Authz Server RegisteredClientRepository: -https://github.com/justincranford/spring/blob/main/src/main/java/com/github/justincranford/spring/config/SecurityFilterChainConfig.java#L307-L334 - OAuth2 Authz Server AuthorizationServerSettings: https://github.com/justincranford/spring/blob/main/src/main/java/com/github/justincranford/spring/config/SecurityFilterChainConfig.java#L340-L352

Version

I originally tried Spring Boot Starter Parent 3.0.2. Recently I updated to 3.0.5. No change, I get the same issue. - https://github.com/justincranford/spring/blob/main/pom.xml#L8

Sample

https://github.com/justincranford/spring

1. Start the app com.github.justincranford.spring.Application.
2. Open https://127.0.0.1/ in a browser.
3. Click on the Internal OIDC Login button.
4. Login with username appuser and passowrd appuser.
5. Notice the error displayed in the UI page is [authorization_request_not_found].
6. View the console logs.
7. Search for access_token.
8. Notice the server returned access_token, refresh_token, and oidc_id_token.
9. Notice the client next does a new redirect to Authorization Server, which triggers a redirect to an error page.

Gist showing a log capture. https://gist.github.com/justincranford/93eabb050a1ab707bb729af92f8554cc

Note: I tried to selective quiet noisy log messages. If you would like to simplify log config, delete all of these log settings. - https://github.com/justincranford/spring/blob/main/src/main/resources/application.properties#L16-L89 Only leave logging.level.root=TRACE to see everything.

Note: I tried with full TRACE logging, but I did not find any log messages between client receiving the tokens and then doing the unexpected redirect back to the OAuth2 Authorization Server.

Comment From: jzheaux

Thanks, @justincranford. I responded to the StackOverflow question.