Skip to content

Authorization Code Grant flow should support AccessToken only #4513

Closed
@jgrandja

Description

@jgrandja

The AuthorizationCodeAuthenticationProcessingFilter currently supports the oauth2Login feature. It handles the Authorization Response callback and processes it with it's collaborators in the following step sequence:

  1. Exchanges the AuthorizationCode Grant for an AccessToken
  2. Then calls the OAuth2UserService to load the Principal information and ultimately authenticate the session

Step 2 is not specified as part of the Authorization Code Grant flow in the OAuth 2.0 spec. However, we need this step in order to realize the oauth2Login feature.

But we also need to support the Authorization Code Grant flow as per spec for cases where the Authorized client needs to fetch a new AccessToken to access other protected resources (after the end-user has authenticated).

In order to support this, AuthorizationCodeAuthenticationProcessingFilter and AuthorizationCodeAuthenticationProvider will need to be re-factored.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions