Redirect to OAuth2 login page in Spring MVC with Spring Security 6

Question

I have an Spring MVC jsf application. Each page/endpoint requests are secured with customAuthorizationManager.

I'm trying to redirect any unauthenticated/unauthorized request to our OAuth2 server's login page (https://xxx/op/v1/auth).

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

    .....

    @Bean
    @Order(1)
    public SecurityFilterChain filterChain1(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorizeRequests ->
                        authorizeRequests.anyRequest().access(customAuthorizationManager)
                )
                // Redirect to the OAuth 2.0 Login endpoint when not authenticated from the authorization endpoint
                .exceptionHandling(exceptions -> exceptions
                        .defaultAuthenticationEntryPointFor(
                                new LoginUrlAuthenticationEntryPoint("https://xxx/op/v1/auth"),
                                new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                        )
                );

        return http.build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain filterChain2(HttpSecurity http) throws Exception {
        http
                // OAuth2 Login handles the redirect to the OAuth 2.0 Login endpoint from the authorization server filter chain above
                .oauth2Login(Customizer.withDefaults())
                .oauth2Client(c -> this.customClientRegistration());

        return http.build();
    }

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository(this.customClientRegistration());
    }

    private ClientRegistration customClientRegistration() {
        return ClientRegistration
                .withRegistrationId("my-combined-client")
                .clientId("4d06125e-xxx")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("https://xxx")
                .authorizationUri("https://xxx/op/v1/auth")
                .tokenUri("https://xxx/op/v1/token")
                .userInfoUri("https://xxx/op/v1/userinfo")
                .jwkSetUri("https://xxx/op/v1/keys")
                .build();
    }

}

I see that an unauthorized request is rejected and redirected to the login page fine but not with the right client-id as defined in customClientRegistration (4d06125e-xxx)

So, could you please help me with the redirection of these unauthenticated/unauthorized requests to the external OAuth login page?

---

UPDATE 1 @ch4mp 's comment

I've removed the second filter and append his content into the first but the result is the same:

@Bean
@Order(1)
public SecurityFilterChain filter1(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests(authorizeRequests ->
                    authorizeRequests.anyRequest().access(customAuthorizationManager)
            )
            // Redirect to the OAuth 2.0 Login endpoint when not authenticated from the authorization endpoint
            .exceptionHandling(exceptions -> exceptions
                    .defaultAuthenticationEntryPointFor(
                            new LoginUrlAuthenticationEntryPoint("https://xxx/op/v1/auth"),
                            new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                    )
            )
            .oauth2Login(Customizer.withDefaults())
            .oauth2Client(c -> this.customClientRegistration());

    return http.build();
}

/*@Bean
@Order(2)
public SecurityFilterChain filter2(HttpSecurity http) throws Exception {
    http
            // OAuth2 Login handles the redirect to the OAuth 2.0 Login endpoint from the authorization server filter chain above
            .oauth2Login(Customizer.withDefaults())
            .oauth2Client(c -> this.customClientRegistration());

    return http.build();
}*/

---

UPDATE 2 @ch4mp 's answer

@Bean
@Order(1)
public SecurityFilterChain filter1(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests(authorizeRequests ->
                    authorizeRequests.anyRequest().access(customAuthorizationManager)
            )
            // Redirect to the OAuth 2.0 Login endpoint when not authenticated from the authorization endpoint
            /*.exceptionHandling(exceptions -> exceptions
                    .defaultAuthenticationEntryPointFor(
                            new LoginUrlAuthenticationEntryPoint("https://xxx/op/v1/auth"),
                            new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                    )
            )*/
            .oauth2Login(Customizer.withDefaults())
            .oauth2Client(c -> this.customClientRegistration());

    return http.build();
}

I've removed the .exceptionHandling . It does a request to https://myAppPath/oauth2/authorization/my-combined-client instead of to the server defined in the client https://xxx/op/v1/auth. So 404.

Answer 1

Remove your exceptionHandling.

The first request in an authorization-code flow is to the OAuth2 client for it to setup the session, nonce, state, etc. The OAuth2 client will redirect the user to the authorization server "authorization" endpoint and wait until he comes back with an authorization-code.