Additional changes based on Rob's feedback:

- Renamed OneTimeTokenAuthenticationRequestSuccessHandler to GeneratedOneTimeTokenSuccessHandler because there is no authentication request, it is a token generation request.
- Renamed all classes containing AuthenticationRequest to Generate, for the same reasons above
- Removed OneTimeTokenSender. While this interface seems reasonable, it is more useful to use the GeneratedOneTimeTokenSuccessHandler for sending the token because the API has access to more parameters (request, response) than just the OneTimeToken.
- Updated the docs based on the changes

Author: marcusdacoregio

config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterOrderRegistration.java

@@ -30,7 +30,7 @@
 import org.springframework.security.web.authentication.AuthenticationFilter;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenGenerateFilter;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter;
@@ -90,7 +90,7 @@ final class FilterOrderRegistration {
 		this.filterToOrder.put(
 				"org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter",
 				order.next());
-		put(OneTimeTokenAuthenticationRequestFilter.class, order.next());
+		put(OneTimeTokenGenerateFilter.class, order.next());
 		put(X509AuthenticationFilter.class, order.next());
 		put(AbstractPreAuthenticatedProcessingFilter.class, order.next());
 		this.filterToOrder.put("org.springframework.security.cas.web.CasAuthenticationFilter", order.next());

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -3000,10 +3000,6 @@ public HttpSecurity oauth2ResourceServer(
 	 * 	}
 	 * }
 	 * </pre>
-	 *
-	 * Note that a
-	 * {@link org.springframework.security.authentication.ott.OneTimeTokenSender} is
-	 * required to enable this support.
 	 * @param oneTimeTokenLoginConfigurerCustomizer the {@link Customizer} to provide more
 	 * options for the {@link OneTimeTokenLoginConfigurer}
 	 * @return the {@link HttpSecurity} for further customizations

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java

@@ -31,7 +31,7 @@
 import org.springframework.security.authentication.ott.InMemoryOneTimeTokenService;
 import org.springframework.security.authentication.ott.OneTimeToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationProvider;
-import org.springframework.security.authentication.ott.OneTimeTokenSender;
+import org.springframework.security.authentication.ott.OneTimeTokenGenerateRequest;
 import org.springframework.security.authentication.ott.OneTimeTokenService;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@@ -44,12 +44,12 @@
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.authentication.ott.GeneratedOneTimeTokenSuccessHandler;
 import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationConverter;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestFilter;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestResolver;
-import org.springframework.security.web.authentication.ott.OneTimeTokenAuthenticationRequestSuccessHandler;
-import org.springframework.security.web.authentication.ott.RedirectOneTimeTokenAuthenticationRequestSuccessHandler;
-import org.springframework.security.web.authentication.ott.RequestParameterOneTimeTokenAuthenticationRequestResolver;
+import org.springframework.security.web.authentication.ott.OneTimeTokenGenerateFilter;
+import org.springframework.security.web.authentication.ott.OneTimeTokenGenerateRequestResolver;
+import org.springframework.security.web.authentication.ott.RedirectGeneratedOneTimeTokenSuccessHandler;
+import org.springframework.security.web.authentication.ott.RequestParameterOneTimeTokenGenerateRequestResolver;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultOneTimeTokenSubmitPageGeneratingFilter;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
@@ -63,6 +63,9 @@
 public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<OneTimeTokenLoginConfigurer<H>, H> {
 
+	private static final RedirectGeneratedOneTimeTokenSuccessHandler DEFAULT_GENERATED_OTT_SUCCESS_HANDLER = new RedirectGeneratedOneTimeTokenSuccessHandler(
+			"/login/ott");
+
 	private final Log logger = LogFactory.getLog(getClass());
 
 	private final ApplicationContext context;
@@ -75,22 +78,19 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private AuthenticationSuccessHandler authenticationSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
 
-	private OneTimeTokenSender oneTimeTokenSender;
-
 	private String submitPageUrl = "/login/ott";
 
 	private boolean submitPageEnabled = true;
 
 	private String loginProcessingUrl = "/login/ott";
 
-	private String authenticationRequestUrl = "/ott/authenticate";
+	private String generateUrl = "/ott/generate";
 
-	private OneTimeTokenAuthenticationRequestSuccessHandler authenticationRequestSuccessHandler = new RedirectOneTimeTokenAuthenticationRequestSuccessHandler(
-			"/login/ott");
+	private GeneratedOneTimeTokenSuccessHandler generatedOneTimeTokenSuccessHandler = DEFAULT_GENERATED_OTT_SUCCESS_HANDLER;
 
 	private AuthenticationProvider authenticationProvider;
 
-	private OneTimeTokenAuthenticationRequestResolver authenticationRequestResolver = new RequestParameterOneTimeTokenAuthenticationRequestResolver();
+	private OneTimeTokenGenerateRequestResolver oneTimeTokenGenerateRequestResolver = new RequestParameterOneTimeTokenGenerateRequestResolver();
 
 	public OneTimeTokenLoginConfigurer(ApplicationContext context) {
 		this.context = context;
@@ -110,7 +110,7 @@ private void configureDefaultLoginPage(H http) {
 			return;
 		}
 		loginPageGeneratingFilter.setOneTimeTokenEnabled(true);
-		loginPageGeneratingFilter.setOneTimeTokenAuthenticationRequestUrl(this.authenticationRequestUrl);
+		loginPageGeneratingFilter.setOneTimeTokenAuthenticationRequestUrl(this.generateUrl);
 		if (this.authenticationFailureHandler == null
 				&& StringUtils.hasText(loginPageGeneratingFilter.getLoginPageUrl())) {
 			this.authenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler(
@@ -121,7 +121,7 @@ private void configureDefaultLoginPage(H http) {
 	@Override
 	public void configure(H http) {
 		configureSubmitPage(http);
-		configureOttAuthenticationRequestFilter(http);
+		configureOttGenerateFilter(http);
 		configureOttAuthenticationFilter(http);
 	}
 
@@ -144,13 +144,24 @@ private SecurityContextRepository getSecurityContextRepository(H http) {
 		return new HttpSessionSecurityContextRepository();
 	}
 
-	private void configureOttAuthenticationRequestFilter(H http) {
-		OneTimeTokenAuthenticationRequestFilter authenticationRequestFilter = new OneTimeTokenAuthenticationRequestFilter(
-				getOneTimeTokenService(http), getOneTimeTokenSender(http));
-		authenticationRequestFilter.setAuthenticationRequestResolver(this.authenticationRequestResolver);
-		authenticationRequestFilter.setAuthenticationRequestSuccessHandler(this.authenticationRequestSuccessHandler);
-		authenticationRequestFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.authenticationRequestUrl));
-		http.addFilter(postProcess(authenticationRequestFilter));
+	private void configureOttGenerateFilter(H http) {
+		OneTimeTokenGenerateFilter generateFilter = new OneTimeTokenGenerateFilter(getOneTimeTokenService(http));
+		generateFilter.setOneTimeTokenGenerateRequestResolver(this.oneTimeTokenGenerateRequestResolver);
+		generateFilter.setGeneratedOneTimeTokenSuccessHandler(getGeneratedOneTimeTokenSuccessHandler());
+		generateFilter.setRequestMatcher(antMatcher(HttpMethod.POST, this.generateUrl));
+		http.addFilter(postProcess(generateFilter));
+	}
+
+	private GeneratedOneTimeTokenSuccessHandler getGeneratedOneTimeTokenSuccessHandler() {
+		if (this.generatedOneTimeTokenSuccessHandler == DEFAULT_GENERATED_OTT_SUCCESS_HANDLER) {
+			this.logger
+				.debug("""
+						Using RedirectGeneratedOneTimeTokenSuccessHandler as the default GeneratedOneTimeTokenSuccessHandler.
+						Note that this implementation does not send the one-time token to the user, therefore, consider
+						providing your own implementation.
+						""");
+		}
+		return this.generatedOneTimeTokenSuccessHandler;
 	}
 
 	private void configureSubmitPage(H http) {
@@ -175,15 +186,15 @@ private AuthenticationProvider getAuthenticationProvider(H http) {
 	}
 
 	/**
-	 * Specifies the {@link OneTimeTokenAuthenticationRequestResolver} to use to resolve a
-	 * {@link org.springframework.security.authentication.ott.OneTimeTokenAuthenticationRequest}.
-	 * Defaults to {@link RequestParameterOneTimeTokenAuthenticationRequestResolver}
-	 * @param authenticationRequestResolver
+	 * Specifies the {@link OneTimeTokenGenerateRequestResolver} to use to resolve a
+	 * {@link OneTimeTokenGenerateRequest}. Defaults to
+	 * {@link RequestParameterOneTimeTokenGenerateRequestResolver}
+	 * @param oneTimeTokenGenerateRequestResolver
 	 */
-	public OneTimeTokenLoginConfigurer<H> authenticationRequestResolver(
-			OneTimeTokenAuthenticationRequestResolver authenticationRequestResolver) {
-		Assert.notNull(authenticationRequestResolver, "authenticationRequestResolver cannot be null");
-		this.authenticationRequestResolver = authenticationRequestResolver;
+	public OneTimeTokenLoginConfigurer<H> oneTimeTokenGenerationRequestResolver(
+			OneTimeTokenGenerateRequestResolver oneTimeTokenGenerateRequestResolver) {
+		Assert.notNull(oneTimeTokenGenerateRequestResolver, "oneTimeTokenGenerationRequestResolver cannot be null");
+		this.oneTimeTokenGenerateRequestResolver = oneTimeTokenGenerateRequestResolver;
 		return this;
 	}
 
@@ -198,26 +209,28 @@ public OneTimeTokenLoginConfigurer<H> authenticationProvider(AuthenticationProvi
 	}
 
 	/**
-	 * Specifies the URL that a One-Time Token authentication request will be processed.
-	 * Defaults to {@code POST /ott/authenticate}.
-	 * @param authenticationRequestUrl
+	 * Specifies the URL that a One-Time Token generate request will be processed.
+	 * Defaults to {@code POST /ott/generate}.
+	 * @param generateUrl
 	 */
-	public OneTimeTokenLoginConfigurer<H> authenticationRequestUrl(String authenticationRequestUrl) {
-		Assert.hasText(authenticationRequestUrl, "authenticationRequestUrl cannot be null or empty");
-		this.authenticationRequestUrl = authenticationRequestUrl;
+	public OneTimeTokenLoginConfigurer<H> generateUrl(String generateUrl) {
+		Assert.hasText(generateUrl, "generateUrl cannot be null or empty");
+		this.generateUrl = generateUrl;
 		return this;
 	}
 
 	/**
-	 * Specifies strategy to be used for successful one-time token authentication
-	 * requests. By default, a redirect will be performed to {@code POST /login/ott} using
-	 * the {@link RedirectOneTimeTokenAuthenticationRequestSuccessHandler}.
-	 * @param authenticationRequestSuccessHandler
+	 * Specifies strategy to be used for successful generated one-time tokens. By default,
+	 * a redirect will be performed to {@code POST /login/ott} using the
+	 * {@link RedirectGeneratedOneTimeTokenSuccessHandler}. It is often needed to provide
+	 * your own implementation of this interface so the one-time token is also delivered
+	 * to the user.
+	 * @param generatedOneTimeTokenSuccessHandler
 	 */
-	public OneTimeTokenLoginConfigurer<H> authenticationRequestSuccessHandler(
-			OneTimeTokenAuthenticationRequestSuccessHandler authenticationRequestSuccessHandler) {
-		Assert.notNull(authenticationRequestSuccessHandler, "authenticationRequestSuccessHandler cannot be null");
-		this.authenticationRequestSuccessHandler = authenticationRequestSuccessHandler;
+	public OneTimeTokenLoginConfigurer<H> generatedOneTimeTokenSuccessHandler(
+			GeneratedOneTimeTokenSuccessHandler generatedOneTimeTokenSuccessHandler) {
+		Assert.notNull(generatedOneTimeTokenSuccessHandler, "generatedOneTimeTokenSuccessHandler cannot be null");
+		this.generatedOneTimeTokenSuccessHandler = generatedOneTimeTokenSuccessHandler;
 		return this;
 	}
 
@@ -257,17 +270,6 @@ public OneTimeTokenLoginConfigurer<H> submitPageUrl(String submitPageUrl) {
 		return this;
 	}
 
-	/**
-	 * Specifies the {@link OneTimeTokenSender} to send the generated {@link OneTimeToken}
-	 * to the user
-	 * @param oneTimeTokenSender
-	 */
-	public OneTimeTokenLoginConfigurer<H> oneTimeTokenSender(OneTimeTokenSender oneTimeTokenSender) {
-		Assert.notNull(oneTimeTokenSender, "oneTimeTokenSender cannot be null");
-		this.oneTimeTokenSender = oneTimeTokenSender;
-		return this;
-	}
-
 	/**
 	 * Configures the {@link OneTimeTokenService} used to generate and consume
 	 * {@link OneTimeToken}
@@ -341,19 +343,6 @@ private OneTimeTokenService getOneTimeTokenService(H http) {
 		return this.oneTimeTokenService;
 	}
 
-	private OneTimeTokenSender getOneTimeTokenSender(H http) {
-		if (this.oneTimeTokenSender != null) {
-			return this.oneTimeTokenSender;
-		}
-		OneTimeTokenSender bean = getBeanOrNull(http, OneTimeTokenSender.class);
-		if (bean == null) {
-			throw new IllegalStateException("A OneTimeTokenSender is required for oneTimeTokenLogin(). "
-					+ "Please define a bean or pass an instance to the DSL.");
-		}
-		this.oneTimeTokenSender = bean;
-		return this.oneTimeTokenSender;
-	}
-
 	private <C> C getBeanOrNull(H http, Class<C> clazz) {
 		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
 		if (context == null) {