Authorization Server's OAuth2 Endpoints should validate MFA

[joaquinjsb]

Expected Behavior

When Enabling MFA, OAuth2 auhorization flows should (optionally) first get MFA validated, then continue with the flow.

Current Behavior

MFA flows are completely ignored and the Oauth2 flow finished properly.

Context
I haven't found any alternatives yet, only having a custom AuthenticationTrustResolver, and manage it form there.

mcve.zip

Spring security 7.0.0-SNAPSHOT

how to reproduce:

1. start the mcve
2. configure https://oauthdebugger.com/
   authorize uri: http://127.0.0.1:8080/oauth2/authorize
   redirect uri: https://oauthdebugger.com/debug
   client: oidc-client
   scope: openid profile
   response type: code
   pkce: yes
3. click send request

the oauth2 flow will complete successfully, instead we're supposed to use the MFA?

[rwinch]

Thanks for creating this ticket @joaquinjsb

I can confirm that Authorization Server's OAuth2AuthorizationEndpointFilter does not use the authorization rules defined in HttpSecurity.authorizeHttpRequests because OAuth2AuthorizationEndpointFilter is placed before the AuthorizationFilter.

@jgrandja Can you please take a look at this and advise?

[jgrandja]

@joaquinjsb I wasn't able to reproduce

the oauth2 flow will complete successfully, instead we're supposed to use the MFA?

Can you please update the sample to include spring-boot-starter-security-oauth2-client and HttpSecurity.oauth2Login() so the issue is reproducible in the sample alone without the use of https://oauthdebugger.com/. Thanks.

[joaquinjsb]

spring-boot-starter-security-oauth2-client

here you go, I believe I did the setup properly for spring-boot-starter-security-oauth2-client:

security.zip

Observed (Failing) Flow

Navigate to the client application: http://app.127.0.0.1.nip.io:8080/

Initiate login via "Login with OAuth 2.0" (OIDC Client).

You are redirected to the authorization server: http://account.127.0.0.1.nip.io:8080/

Upon the callback/redirect back to the client, the flow fails with "invalid credentials".

Root Cause: The subsequent request to the /oauth2/token endpoint fails because the authorization server immediately requires MFA, but the OAuth 2.0 flow is not designed to handle this inline.

Expected (Desired) Behavior

When the user is redirected to http://account.127.0.0.1.nip.io:8080/ and performs a form login:

The user successfully enters their initial credentials.

The system should then prompt for the One-Time Token (OTT) / MFA.

After successful MFA completion, the system should resume and complete the OAuth 2.0 flow (issuing the Authorization Code, followed by the successful token exchange).

I hope it's clearer now.