Fix MVC OAuth2AuthorizationRequestResolver to use correct "login" action for redirect URI

chanbinme · chanbinme · commit c27061d30510 · 2025-08-20T00:18:39.000+09:00
- Changed DefaultOAuth2AuthorizationRequestResolver.resolve(HttpServletRequest, String) to always use "login" as the redirect URI action instead of "authorize".
- This aligns URI generation with Reactive stack behavior, fixing inconsistent OAuth2 login redirect URIs between MVC and Reactive.
- Resolves authentication errors and token relay issues caused by incorrect URI paths.

Signed-off-by: chanbinme &lt;gksmfcksqls@gmail.com&gt;
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
@@ -132,7 +132,7 @@ public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String reg
 		if (registrationId == null) {
 			return null;
 		}
-		String redirectUriAction = getAction(request, "authorize");
+		String redirectUriAction = getAction(request, "login");
 		return resolve(request, registrationId, redirectUriAction);
 	}
 
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
@@ -307,7 +307,7 @@ public void resolveWhenClientAuthorizationRequiredExceptionAvailableThenRedirect
 		assertThat(authorizationRequest.getAuthorizationRequestUri())
 			.matches("https://example.com/login/oauth/authorize\\?" + "response_type=code&client_id=client-id&"
 					+ "scope=read:user&state=.{15,}&"
-					+ "redirect_uri=http://localhost/authorize/oauth2/code/registration-id");
+					+ "redirect_uri=http://localhost/login/oauth2/code/registration-id");
 	}
 
 	@Test
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java
@@ -231,7 +231,7 @@ public void doFilterWhenNotAuthorizationRequestAndClientAuthorizationRequiredExc
 		verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
 		assertThat(response.getRedirectedUrl()).matches("https://example.com/login/oauth/authorize\\?"
 				+ "response_type=code&client_id=client-id&" + "scope=read:user&state=.{15,}&"
-				+ "redirect_uri=http://localhost/authorize/oauth2/code/registration-id");
+				+ "redirect_uri=http://localhost/login/oauth2/code/registration-id");
 		verify(this.requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -132,7 +132,7 @@ public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String reg`
`132`	`132`	`if (registrationId == null) {`
`133`	`133`	`return null;`
`134`	`134`	`}`
`135`		`- String redirectUriAction = getAction(request, "authorize");`
	`135`	`+ String redirectUriAction = getAction(request, "login");`
`136`	`136`	`return resolve(request, registrationId, redirectUriAction);`
`137`	`137`	`}`
`138`	`138`
Original file line number	Diff line number	Diff line change
`@@ -307,7 +307,7 @@ public void resolveWhenClientAuthorizationRequiredExceptionAvailableThenRedirect`
`307`	`307`	`assertThat(authorizationRequest.getAuthorizationRequestUri())`
`308`	`308`	`.matches("https://example.com/login/oauth/authorize\\?" + "response_type=code&client_id=client-id&"`
`309`	`309`	`+ "scope=read:user&state=.{15,}&"`
`310`		`- + "redirect_uri=http://localhost/authorize/oauth2/code/registration-id");`
	`310`	`+ + "redirect_uri=http://localhost/login/oauth2/code/registration-id");`
`311`	`311`	`}`
`312`	`312`
`313`	`313`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -231,7 +231,7 @@ public void doFilterWhenNotAuthorizationRequestAndClientAuthorizationRequiredExc`
`231`	`231`	`verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));`
`232`	`232`	`assertThat(response.getRedirectedUrl()).matches("https://example.com/login/oauth/authorize\\?"`
`233`	`233`	`+ "response_type=code&client_id=client-id&" + "scope=read:user&state=.{15,}&"`
`234`		`- + "redirect_uri=http://localhost/authorize/oauth2/code/registration-id");`
	`234`	`+ + "redirect_uri=http://localhost/login/oauth2/code/registration-id");`
`235`	`235`	`verify(this.requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));`
`236`	`236`	`}`
`237`	`237`