Expected Behavior
When Enabling MFA, OAuth2 auhorization flows should (optionally) first get MFA validated, then continue with the flow.
Current Behavior
MFA flows are completely ignored and the Oauth2 flow finished properly.
Context I haven't found any alternatives yet, only having a custom AuthenticationTrustResolver, and manage it form there.
Spring security 7.0.0-SNAPSHOT
how to reproduce: 1. start the mcve 2. configure https://oauthdebugger.com/ authorize uri: http://127.0.0.1:8080/oauth2/authorize redirect uri: https://oauthdebugger.com/debug client: oidc-client scope: openid profile response type: code pkce: yes 3. click send request
the oauth2 flow will complete successfully, instead we're supposed to use the MFA?
Comment From: rwinch
Thanks for creating this ticket @joaquinjsb
I can confirm that Authorization Server's OAuth2AuthorizationEndpointFilter does not use the authorization rules defined in HttpSecurity.authorizeHttpRequests because OAuth2AuthorizationEndpointFilter is placed before the AuthorizationFilter.
@jgrandja Can you please take a look at this and advise?