BestHub
Sign in
Information Security 4 min read

Spring Security OAuth2 Callback Authentication Explained: Managers & Providers

This article explores how Spring Security processes OAuth2 login callbacks, detailing the role of AuthenticationManager, the creation of OAuth2LoginAuthenticationToken, the selection of appropriate AuthenticationProvider such as OAuth2LoginAuthenticationProvider and OidcAuthorizationCodeAuthenticationProvider, and the subsequent generation of OAuth2User and token objects.

Programmer DD
Programmer DD
Programmer DD
Spring Security OAuth2 Callback Authentication Explained: Managers & Providers

2. AuthenticationManager

When Spring Security intercepts the callback endpoint, it creates an OAuth2LoginAuthenticationToken and hands it to the AuthenticationManager for authentication. Our earlier article "Understanding AuthenticationManager" provides a detailed explanation of this mechanism.

The login credentials are encapsulated in a UsernamePasswordAuthenticationToken, and based on the token type, the corresponding AuthenticationProvider is located for authentication.

3. AuthenticationProvider for OAuth2

OAuth2 login works similarly; we need to locate the AuthenticationProvider that corresponds to OAuth2LoginAuthenticationToken. Two providers are found:

OAuth2LoginAuthenticationProvider
OidcAuthorizationCodeAuthenticationProvider

These providers handle different scenarios. The OAuth2LoginAuthenticationToken contains the following snippet:

if (loginAuthenticationToken.getAuthorizationExchange()
    .getAuthorizationRequest().getScopes().contains("openid")) {
    // This is an OpenID Connect Authentication Request so return null
    // and let OidcAuthorizationCodeAuthenticationProvider handle it instead
    return null;
}

This means that if the scopes contain openid, the method returns null, so the token is not processed by OAuth2LoginAuthenticationProvider; instead, OidcAuthorizationCodeAuthenticationProvider handles it. Based on previous articles, the provider we need for standard OAuth2 login is OAuth2LoginAuthenticationProvider.

If you are interested, you can learn about OIDC‑based OAuth2 authentication.

4. OAuth2LoginAuthenticationProvider

OAuth2LoginAuthenticationProvider

implements the authentication process for the authorization callback:

From the diagram, the actual authentication is performed by OAuth2AuthorizationCodeAuthenticationProvider. After successful authentication, it retrieves the user's information, wraps it into an OAuth2User, and finally creates a successful OAuth2LoginAuthenticationToken.

Due to length constraints, the next article will analyze the handling mechanism of OAuth2AuthorizationCodeAuthenticationProvider. The series can be found at felord.cn.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaBackend DevelopmentAuthenticationOAuth2spring-security
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment