OAuth2Error when logged user tries to loggin again without logout

[belomx]

Summary

When loggin into my web application using oath2 (in this summary I will use google provider as example), it will reach the home page (fine) and then user press back in the browser, the page will be at the google's select user page to login, if the user select an user to "loggin again" and return to home page spring security will return an error.

Actual Behavior

Spring security is returning an error during the second loggin. Error at OAuth2LoginAuthenticationFilter:

OAuth2Error oauth2Error = new
OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());

Expected Behavior

If the user selected in the second attempt is the same from the previous. And the session remains valid and not expired. The user could log into the system properly.

Configuration

http
// permit access to any resource, access restrictions are handled at the level of Vaadin views
.authorizeRequests()
.antMatchers("/Login","/","/login/**").permitAll().and()

	// disable CSRF (Cross-Site Request Forgery) since Vaadin implements its own mechanism for this
	.csrf().disable()
	.oauth2Login()
	.loginPage("/login")
	.authorizationEndpoint()
	.baseUri("/oauth2/authorize-client")
	.authorizationRequestRepository(authorizationRequestRepository())
	.and()
	.tokenEndpoint()
	.accessTokenResponseClient(accessTokenResponseClient())
	.and()
	.defaultSuccessUrl("/home")
	.failureUrl("/error")
	.and().sessionManagement().sessionFixation().newSession()
	;

Version

5.2.1.RELEASE

[jgrandja]

@belomx

it will reach the home page (fine) and then user press back in the browser, the page will be at the google's select user page to login, if the user select an user to "loggin again" and return to home page spring security will return an error

This flow is invalid and the reported error is expected. When you press the back button after a successful authentication, and attempt to re-login from Google's authentication form, the subsequent request (Authorization Response) to the client application will receive the same code parameter that was used in the previous authentication flow. The code (authorization_code) is a temporary credential that can be used one-time only, hence, the AUTHORIZATION_REQUEST_NOT_FOUND error.

I'm going to close this issue since the behaviour is expected.

[iilkevych]

@jgrandja

The code (authorization_code) is a temporary credential that can be used one-time only, hence, the AUTHORIZATION_REQUEST_NOT_FOUND error.

The problem is not in authorization_code. AuthenticationWebFilter has authenticationFailureHandler to handle invalid authentication(authorization_code). OidcAuthorizationCodeReactiveAuthenticationManager throws OAuth2AuthenticationException which is AuthenticationException and browser is redirected to /login?error

The problem is in

1. ServerOAuth2AuthorizationCodeAuthenticationTokenConverter it throws OAuth2AuthorizationException and
2. AuthenticationWebFilter doesn't handle any errors from ServerAuthenticationConverter

Only one ServerAuthenticationConverter implementation will redirect browser to login page
ServerHttpBasicAuthenticationConverter cause it return Mono.empty() in case of any authentication problem