Describe the bug OAuth2AuthorizationConsentAuthenticationProvider.authenticate Execute to this line of code OAuth2Authorization authorization = this.authorizationService.findByToken(authorizationConsentAuthentication.getState(), STATE_TOKEN_TYPE); but authorization is null
To Reproduce my config public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { SingleSignOnProperties.IgnoringUrl ignoringUrl = ignoringUrlProperties.getIgnoringUrl(); http .cors(AbstractHttpConfigurer::disable) .csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(auth -> auth .requestMatchers(new AntPathRequestMatcher("/actuator/"), new AntPathRequestMatcher("/oauth2/"), new AntPathRequestMatcher("//*.json"), new AntPathRequestMatcher("/login"), new AntPathRequestMatcher("//*.html")).permitAll() .requestMatchers(HttpMethod.GET,ignoringUrl.getGet()).permitAll() .requestMatchers(HttpMethod.POST,ignoringUrl.getPost()).permitAll() .requestMatchers(HttpMethod.DELETE,ignoringUrl.getDelete()).permitAll() .requestMatchers(HttpMethod.PUT,ignoringUrl.getPut()).permitAll() .requestMatchers(HttpMethod.PATCH,ignoringUrl.getPatch()).permitAll() .requestMatchers(SecurityProperties.OAUTH_LOGIN_PRO_URL,SecurityProperties.OAUTH2_TOKEN).permitAll() .requestMatchers(HttpMethod.POST,SecurityProperties.OAUTH_LOGIN_PRO_URL).permitAll() .requestMatchers(SecurityProperties.OAUTH2_AUTHORIZE).permitAll() .requestMatchers(ignoringUrl.getAll()).permitAll() .anyRequest().access(customAuthenticatedAuthorizationManager) ) .formLogin(Customizer.withDefaults()) .sessionManagement(session->session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)); return http.build(); } @Bean @Order(1) public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); http .getConfigurer(OAuth2AuthorizationServerConfigurer.class).tokenEndpoint(tokenEndpoint->{ tokenEndpoint.accessTokenRequestConverter(accessTokenRequestConverter()) .accessTokenResponseHandler(customerAuthenticationSuccessRedirectHandler) .errorResponseHandler(oauth2AuthenticationFailureEventHandler); }).oidc(Customizer.withDefaults()) .clientAuthentication(oAuth2ClientAuthenticationConfigurer ->
oAuth2ClientAuthenticationConfigurer.errorResponseHandler(oauth2AuthenticationFailureEventHandler)
)
// .authorizationEndpoint(authorizationEndpoint -> authorizationEndpoint.consentPage(SecurityProperties.OAUTH2_CONFIRM_ACCESS))
.authorizationService(authorizationService)
.authorizationServerSettings(AuthorizationServerSettings.builder().issuer(SecurityProperties.ISS).build());
http.exceptionHandling((exceptions) -> exceptions
.authenticationEntryPoint(
new LoginUrlAuthenticationEntryPoint("/login")
)
)
.oauth2ResourceServer(resource->resource.jwt(Customizer.withDefaults()))
;
return http.build();
}
pom---version
Expected behavior After successfully logging in using the form, access (POST)/oauth2/authorize ->>OAuth2AuthorizationConsentAuthenticationProvider.authenticate Execute to this line of code OAuth2Authorization authorization = this.authorizationService.findByToken(authorizationConsentAuthentication.getState(), STATE_TOKEN_TYPE); but authorization is null and prompt [invalid_request] OAuth 2.0 Parameter: state
I want to know how the state is stored and when it is executed for storage . please help me
Comment From: sjohnr
Thanks for getting in touch @lichengliang1, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
Additionally, your question is related to Spring Authorization Server, so consider using the this tag instead.