Spring Authorization Server returning HTTP 401 for /oauth2/authorize endpoint with response_type=code

[tomotoyinbo]

Hello Spring Team,

I'm setting up a Spring Authorization Server with Spring boot starter Security 3.4.1 and spring-boot-starter-oauth2-authorization-server 3.4.1. While the server generally starts without errors, I’m getting an HTTP 401 whenever I try to access the /oauth2/authorize endpoint with response_type=code (i.e., the Authorization Code flow). Below are details of my configuration and the logs from a failed request. Any guidance on what might be missing or misconfigured is greatly appreciated.

Link to public Github sample project to reproduce: https://github.com/tomotoyinbo/sample-auth-server
Java Version: 22
build tool: Maven

Below is an example Postman / cURL request:
curl -i -X GET
"http://localhost:8080/oauth2/authorize?response_type=code&client_id=demo-client&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/demo-client&scope=openid profile"

Response:
HTTP/1.1 401
WWW-Authenticate: Bearer
{
"error": "Unauthorized"
}

I enabled debug logs for org.springframework.security and org.springframework.security.oauth2:
logging:
level:
org.springframework.security: DEBUG
org.springframework.security.oauth2: DEBUG

Log Snippet:

2025-01-09T06:13:02.200-08:00  INFO 17686 --- [sample-auth-server] [nio-8090-exec-1] o.a.c.c.C.[.[localhost].[/sample]        : Initializing Spring DispatcherServlet 'dispatcherServlet'
2025-01-09T06:13:02.200-08:00  INFO 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2025-01-09T06:13:02.201-08:00  INFO 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 0 ms
2025-01-09T06:13:02.211-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /oauth2/authorize?response_type=code&client_id=demo-client&scope=openid%20profile&redirect_uri=http://127.0.0.1:8090/sample/login/oauth2/code/demo-client
2025-01-09T06:13:02.222-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-09T06:13:02.233-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8090/sample/oauth2/authorize?response_type=code&client_id=demo-client&scope=openid%20profile&redirect_uri=http://127.0.0.1:8090/sample/login/oauth2/code/demo-client&continue to session
2025-01-09T06:13:02.233-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using Or [Ant [pattern='/oauth2/token', POST], Ant [pattern='/oauth2/introspect', POST], Ant [pattern='/oauth2/revoke', POST], Ant [pattern='/oauth2/device_authorization', POST]]
2025-01-09T06:13:02.234-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]
2025-01-09T06:13:02.235-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using Or [org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@65cc5252, RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest], And [Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[*/*], useEquals=true, ignoredMediaTypes=[]]]
2025-01-09T06:13:02.235-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint@1151d54b

Observations / Questions:

1. 401 Instead of 302: I’d expect a 302 redirect to the login form. Instead, I get 401.

2. Am I missing something in my HttpSecurity setup?

3. Endpoints Matcher: Confirmed that authorizationServerConfigurer.getEndpointsMatcher() should include /oauth2/authorize. Possibly it’s not recognized, or the flow is expecting a user session in a different chain.

4. Multiple Chains?: I tried to keep everything in one chain for the Authorization Server. Could that cause confusion with user login?

Any insight into why /oauth2/authorize returns 401—and how to properly redirect to the login form for Authorization Code—would be greatly appreciated.

Thanks in advance!

[jgrandja]

@tomotoyinbo I transferred this issue to this project since it should have been logged here instead of Spring Security.

Based on your logs:

Match found! Executing org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint@1151d54b

The request was processed by BearerTokenAuthenticationFilter (resourceServer()), which doesn't align with:

Below is an example Postman / cURL request:
curl -i -X GET
"http://localhost:8080/oauth2/authorize?response_type=code&client_id=demo-client&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/demo-client&scope=openid profile"

It appears there is a misconfiguration in your application.

Please take a look at demo-authorizationserver for a full working sample.

Also, I would categorize this issue as a question which is better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

[tomotoyinbo]

Thank you Joe for the update. I’d wrongly assumed this a defect rather than mis-configuration issue. Next time I’ll direct similar to StackOverflow.

…

On Tue, Feb 4, 2025 at 8:53 AM Joe Grandja ***@***.***> wrote: @tomotoyinbo <https://github.com/tomotoyinbo> I transferred this issue to this project since it should have been logged here instead of Spring Security <https://github.com/spring-projects/spring-security/issues>. Based on your logs: Match found! Executing ***@***.*** The request was processed by BearerTokenAuthenticationFilter ( resourceServer()), which doesn't align with: Below is an example Postman / cURL request: curl -i -X GET " http://localhost:8080/oauth2/authorize?response_type=code&client_id=demo-client&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/demo-client&scope=openid profile" It appears there is a misconfiguration in your application. Please take a look at demo-authorizationserver <https://github.com/spring-projects/spring-authorization-server/blob/main/samples/README.adoc#demo-sample> for a full working sample. Also, I would categorize this issue as a question which is better suited to Stack Overflow <https://stackoverflow.com/questions/tagged/spring-authorization-server>. We prefer to use GitHub issues only for bugs and enhancements. — Reply to this email directly, view it on GitHub <#1893 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAK7DY6CUQOQALYRYCU6TMT2ODV65AVCNFSM6AAAAABWOZI2NWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMZUGUZTONRUGE> . You are receiving this because you were mentioned.Message ID: ***@***.*** .com>