Description
Expected Behavior
A POST /authorize without the openid scope should be accepted by the authorization server
Current Behavior
A POST /authorize without the openid scope returns a 404 with the following error log :
org.springframework.web.servlet.resource.NoResourceFoundException: No static resource oauth/authorize
Context
Our implementation allow to not pass the scope parameter during the first /authorize request, as allowed by the oauth2 specification
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 and https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
In this case our server act as if every scopes were requested.
There is no issue with spring authorization server when using a GET, but our implementation replays the /authorize request with a POST after a /login.
The authorizationEndpointMatcher of OAuth2AuthorizationEndpointFilter only match POST /authorize requests who have the openid scope : https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java#L156
I guess this is because the oauth2 spec states that the authorization server MAY support the use of POST https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
while openid spec states that the server MUST support GET and POST https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Unfortunately we cannot submit this second /authorize with a GET as it would break other parts of our system.
We considered tinkering with the RequestCache to add every scopes of the client in the SavedRequest, but a modification in spring authorization server would be simpler because we can just handle this use case in the token generators.
Is it possible to allow the customization of this matcher, or to remove the openid scope matcher for POST in OAuth2AuthorizationEndpointFilter ?