OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException

[wjlc]

@jgrandja

The code (authorization_code) is a temporary credential that can be used one-time only, hence, the AUTHORIZATION_REQUEST_NOT_FOUND error.

The problem is not in authorization_code. AuthenticationWebFilter has authenticationFailureHandler to handle invalid authentication(authorization_code). OidcAuthorizationCodeReactiveAuthenticationManager throws OAuth2AuthenticationException which is AuthenticationException and browser is redirected to /login?error

The problem is in

1. ServerOAuth2AuthorizationCodeAuthenticationTokenConverter it throws OAuth2AuthorizationException and
2. AuthenticationWebFilter doesn't handle any errors from ServerAuthenticationConverter

Only one ServerAuthenticationConverter implementation will redirect browser to login page
ServerHttpBasicAuthenticationConverter cause it return Mono.empty() in case of any authentication problem

Originally posted by @iilkevych in #7884 (comment)

[wjlc]

#7884 (comment)

[iilkevych]

Some ReactiveAuthenticationManager implementations also can throw OAuth2AuthorizationException It seems to be right to check all them in AuthenticationWebFilter using one base exception AccessDeniedException
Which is actually handled already

[jgrandja]

@wjlc @iilkevych Thank you for this report.

The issue is in OAuth2AuthorizationCodeGrantWebFilter as it does not handle OAuth2AuthorizationException, which can be thrown by ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.

The fix should be in OAuth2AuthorizationCodeGrantWebFilter to handle OAuth2AuthorizationException and delegate to authenticationFailureHandler on errors.

Would either of you be interested in submitting a PR for this?

[wjlc]

@shazin This is not the correct place for the fix. plz check the issue and replicate it. https://github.com/spring-projects/spring-security/issues/7884#issue-558408713

[wjlc]

@jgrandja
OAuth2AuthorizationCodeGrantWebFilter is just used in ServerHttpSecurity. OAuth2Client, it's just a case.

but my WebFluxSecurityConfig like this:
......
.and()
.oauth2Login()
.authenticationSuccessHandler(new CustomAuthenticationSuccessHandler())
......

oauth2Login() configured OAuth2LoginAuthenticationWebFilter that extends AuthenticationWebFilter.

AuthenticationWebFilter only handle AuthenticationException now, that should also handle OAuth2AuthorizationException.
The bad thing is they're in different packages and no inheritance relationship between OAuth2AuthorizationException and AuthenticationException.

[jgrandja]

@wjlc Thanks for the feedback.

It looks like ServerOAuth2AuthorizationCodeAuthenticationTokenConverter should throw OAuth2AuthenticationException instead of OAuth2AuthorizationException. Let me think this one through but I think that is what needs to change.