How Spring Security Handles OAuth2 Authorization Redirects: A Deep Dive

1. Introduction

In the previous article "Spring Security Practical: OAuth2 Third‑Party Authorization First Experience", we introduced basic OAuth2 concepts and demonstrated a demo. This article analyzes the underlying mechanism step by step.

2. Capture the entry point

http://localhost:8082/oauth2/authorization/gitee

The request URL is the starting point for third‑party authentication, following the pattern {baseUrl}/oauth2/authorization/{clientRegistrationId}. Here clientRegistrationId is gitee. Spring Security intercepts /oauth2/authorization and activates OAuth2 handling. Use IDE global search (Ctrl Shift R) to locate the source.

OAuth2AuthorizationRequestRedirectWebFilter

This class implements Spring WebFlux WebFilter. It is relevant only for WebFlux applications.

DefaultOAuth2AuthorizationRequestResolver

This default resolver implements OAuth2AuthorizationRequestResolver and creates an OAuth2AuthorizationRequest from the incoming /oauth2/authorization request.

public interface OAuth2AuthorizationRequestResolver {
    /** Parse OAuth2AuthorizationRequest from HttpServletRequest */
    OAuth2AuthorizationRequest resolve(HttpServletRequest request);
    /** Parse OAuth2AuthorizationRequest from HttpServletRequest and clientRegistrationId */
    OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId);
}

When /oauth2/authorization is called, the resolver extracts data from the HttpServletRequest and builds an OAuth2AuthorizationRequest object.

Note: The default interception path /oauth2/authorization can be customized.

OAuth2AuthorizationRequest

This class encapsulates parameters such as authorizationUri, clientId, redirectUri, scopes, state, etc.

public final class OAuth2AuthorizationRequest implements Serializable {
    private String authorizationUri;
    private AuthorizationGrantType authorizationGrantType;
    private OAuth2AuthorizationResponseType responseType;
    private String clientId;
    private String redirectUri;
    private Set<String> scopes;
    private String state;
    private Map<String, Object> additionalParameters;
    private String authorizationRequestUri;
    private Map<String, Object> attributes;
    // other methods omitted
}

OAuth2AuthorizationRequestRedirectFilter

This filter extends OncePerRequestFilter and contains an OAuth2AuthorizationRequestResolver. Its core logic is in doFilterInternal:

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws ServletException, IOException {
    try {
        OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestResolver.resolve(request);
        if (authorizationRequest != null) {
            this.sendRedirectForAuthorization(request, response, authorizationRequest);
            return;
        }
    } catch (Exception failed) {
        this.unsuccessfulRedirectForAuthorization(request, response, failed);
        return;
    }
    // continue filter chain
    filterChain.doFilter(request, response);
    // exception handling omitted for brevity
}

The diagram below shows the execution flow of OAuth2AuthorizationRequestRedirectFilter:

Understanding this flow is essential for grasping how Spring Security redirects to third‑party providers. The next article will dissect the sendRedirectForAuthorization method.

3. Summary

We traced the entry point of OAuth2 authorization in Spring Security, examined key components such as OAuth2AuthorizationRequestRedirectWebFilter, DefaultOAuth2AuthorizationRequestResolver, and the core filter logic, laying the groundwork for deeper analysis.