OIDC Callback URL 404 - pac4j

Question

I am using https://github.com/pac4j/spring-webflux-pac4j-boot-demo to do an OIDC authentication with spring boot and webflux using pac4j. I am setting a OIDC client with a custom callback url.

When you visit /authenticate, you are taken to the IDP provider to login, after logging in, you are redirected to the callback URl. However, the callback url returns 404.

The default callback /callback is still working. If you try to send a GET request to /callback the logs how that the callback logic is executed. Why is the callback url change (using setCallbackUrl) not working?

2023-01-15 21:27:04.417 DEBUG 442814 --- [or-http-epoll-3] o.p.core.engine.DefaultCallbackLogic     : === CALLBACK ===
2023-01-15 21:27:05.995 DEBUG 442814 --- [or-http-epoll-3] o.p.core.engine.DefaultCallbackLogic     : foundClient: #OidcClient# |....
... 

Pac4jConfig.java [Original file here]

package io.company.auth;
import java.util.Optional;
import org.pac4j.core.client.Clients;
import org.pac4j.core.config.Config;
import org.pac4j.core.matching.matcher.PathMatcher;
import org.pac4j.springframework.web.SecurityFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.server.WebFilter;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;

@Configuration
// to define the callback and logout controllers
@ComponentScan(basePackages = "org.pac4j.springframework.web")
public class Pac4jConfig {
   @Bean
    public Config config() {
        OidcConfiguration config = new OidcConfiguration();
        config.setClientId("my_client_id");
        config.setSecret("my_secret");
        config.setDiscoveryURI("idp_dicovery_url");
        config.setScope("openid");
        config.setUseNonce(false);
        OidcClient oidcClient = new OidcClient(config);
        oidcClient.setName("ABCDapp");
        oidcClient.setCallbackUrl("http://localhost:8081/api/oidc/cb?client_name=abcd");
        final Clients clients = new Clients("http://localhost:8081/api/oidc/cb?client_name=abcd", oidcClient);
        return new Config(clients);
    }
    @Bean
    public WebFilter protectedFilter() {
        return SecurityFilter.build(config(), new PathMatcher().includePath("/authenticate"));
    }
}

Answer 1

The CallbackController is automatically set on the /callback endpoint. Though, you can change that with the pac4j.callback.path property. See: https://github.com/pac4j/spring-webflux-pac4j/blob/master/src/main/java/org/pac4j/springframework/web/CallbackController.java#L46