Spring Security Obtaining access tokens in POST request results in a redirect to the original URL

Describe the bug

When using handling a POST request, it is not possible to obtain a non-cached access_token, neither from @RegisteredOAuth2AuthorizedClient nor from OAuth2AuthorizedClientManager directly.

After the authorization code flow has been executed, Spring Security sends a HTTP 302 to the saved request URL, instead of replaying the request.

To Reproduce

Consider the following controller method

@PostMapping("/some-endpoint")
public String myController(@RegisteredOAuth2AuthorizedClient("spring-auth-server") OAuth2AuthorizedClient authorizedClient) {
    // ... your code ...
}

Sending a form POST to this endpoint will trigger the auth code flow, and then end up with a 405 Method not Allowed, with the request body, headers, etc lost.

Expected behavior

The saved request is fully replayed after the auth code flow.

Comment From: rwinch

Thank you for the report. If I'm understanding this correctly, I think the problem is that if we replay a POST request, then it will allow for a CSRF attack (invoking the PostMapping) to a user who has not performed the auth flow code.