Skip to content

Fix OAuth2LoginConfigurer AuthenticationProvider decoration #17966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix OAuth2LoginConfigurer AuthenticationProvider decoration #17966

wants to merge 1 commit into from
+68 −3

Conversation

seeun0210
Copy link

Summary

This PR fixes the issue where OAuth2LoginConfigurer was not properly supporting ObjectPostProcessor<AuthenticationProvider> decoration due to type casting issues.

Problem

Currently, the postProcess method in OAuth2LoginConfigurer returns concrete types (OAuth2LoginAuthenticationProvider and OidcAuthorizationCodeAuthenticationProvider) instead of the AuthenticationProvider interface. This makes it difficult for users to decorate these providers with custom ObjectPostProcessor implementations.

Solution

  • Cast the result of postProcess() to AuthenticationProvider interface in both OAuth2 and OIDC authentication provider registrations
  • This enables users to apply custom ObjectPostProcessor<AuthenticationProvider> implementations
  • Added comprehensive test coverage for OIDC AuthenticationProvider postProcess functionality

Changes

Code Changes

  • File: config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
  • Lines 347 & 368: Added explicit casting to AuthenticationProvider interface
// Before
http.authenticationProvider(this.postProcess(oauth2LoginAuthenticationProvider));
http.authenticationProvider(this.postProcess(oidcAuthorizationCodeAuthenticationProvider));

// After  
http.authenticationProvider((AuthenticationProvider) this.postProcess(oauth2LoginAuthenticationProvider));
http.authenticationProvider((AuthenticationProvider) this.postProcess(oidcAuthorizationCodeAuthenticationProvider));

Test Changes

  • File: config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
  • Added oauth2LoginWhenOidcAuthenticationProviderPostProcessorThenUses() test method
  • Added OAuth2LoginConfigCustomWithOidcPostProcessor test configuration class
  • Added OidcSpyObjectPostProcessor for testing OIDC provider decoration

Benefits

This change enables developers to:

  • Add pre/post authentication logic
  • Implement custom security validations
  • Add logging and monitoring capabilities
  • Apply cross-cutting concerns like caching or rate limiting
  • Decorate OAuth2 and OIDC authentication providers with custom logic

Testing

  • Existing tests continue to pass
  • New test verifies OIDC AuthenticationProvider postProcess functionality
  • Test uses Mockito spy to verify that the postProcess method is called correctly

Related Issue

Closes gh-17357

@seeun0210
Fix OAuth2LoginConfigurer AuthenticationProvider decoration
d244e8c 
- Cast postProcess result to AuthenticationProvider interface
- Enables custom ObjectPostProcessor implementations for OAuth2 and OIDC authentication providers
- Add test for OIDC AuthenticationProvider postProcess functionality

Closes spring-projectsgh-17357

Signed-off-by: seeun0210 <[email protected]>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Oauth2: add ability to decorate AuthenticationProvider when using OAuth2LoginConfigurer
2 participants
@seeun0210 @spring-projects-issues