Skip to content

Fix inconsistent OAuth2 login redirect URI action in MVC stack #17770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix inconsistent OAuth2 login redirect URI action in MVC stack #17770

wants to merge 1 commit into from
+3 −3

Conversation

chanbinme
Copy link
Contributor

@chanbinme chanbinme commented Aug 19, 2025
edited
Loading

This PR fixes an inconsistency in the Spring Security OAuth2 client where the MVC stack generates an incorrect OAuth2 login redirect URI due to using "authorize" as the default action, unlike the Reactive stack which uses "login".

Closes: gh-16941

Problem

  • The existing MVC implementation (DefaultOAuth2AuthorizationRequestResolver) sets the redirect URI action to "authorize", resulting in URIs like /authorize/oauth2/code/{registrationId}.
  • The Reactive implementation uses "login", producing the correct URI /login/oauth2/code/{registrationId}.

Changes

  • Modified resolve(HttpServletRequest, String) method in MVC resolver to always use "login" as the redirect URI action.
  • Removed redundant client registration and grant type validation here, assuming they are handled downstream.

Before:

@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String registrationId) {
    if (registrationId == null) {
       return null;
    }
    String redirectUriAction = getAction(request, "authorize");
    return resolve(request, registrationId, redirectUriAction);
}

After:

@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String registrationId) {
    if (registrationId == null) {
       return null;
    }
    String redirectUriAction = getAction(request, "login");
    return resolve(request, registrationId, redirectUriAction);
}

Impact & Benefits

  • Ensures uniform OAuth2 login redirect URI format across MVC and Reactive stacks.

Please review and provide feedback. Thank you.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 19, 2025
@chanbinme
Fix MVC OAuth2AuthorizationRequestResolver to use correct "login" act…
c27061d 
…ion for redirect URI

- Changed DefaultOAuth2AuthorizationRequestResolver.resolve(HttpServletRequest, String) to always use "login" as the redirect URI action instead of "authorize".
- This aligns URI generation with Reactive stack behavior, fixing inconsistent OAuth2 login redirect URIs between MVC and Reactive.
- Resolves authentication errors and token relay issues caused by incorrect URI paths.

Signed-off-by: chanbinme <gksmfcksqls@gmail.com>
@chanbinme chanbinme force-pushed the feat/oauth2-fix-mvc-reactive-login-consistency branch from 6ddf153 to c27061d Compare August 19, 2025 15:18
@chanbinme chanbinme changed the title Fix inconsistent OAuth2 login redirect URI action in MVC stack (#16941) Fix inconsistent OAuth2 login redirect URI action in MVC stack Aug 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OAuth2Login behaves differently in MVC and Reactive
2 participants
@chanbinme @spring-projects-issues