I’m setting up a Spring Authorization Server using Spring Security and OAuth2. I’m trying to initiate the authorization code flow by hitting the /oauth2/authorize endpoint, but I’m getting a 404 Not Found error. Here’s my setup and the issue I’m facing:I’ve configured the AuthorizationServerConfig class as follows:
@Configuration
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration::class)
class AuthorizationServerConfig(
private val passwordEncoder: PasswordEncoder,
@Value("\${key.store.password.private}") private val password: String
) {
@Bean
@Order(1)
@Throws(Exception::class)
fun authorizationServerSecurityFilterChain(
http: HttpSecurity,
jdbcOperations: JdbcOperations,
registeredClientRepository: RegisteredClientRepository,
jwtService: JwtService
): SecurityFilterChain {
val authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer.authorizationServer()
http.authorizeHttpRequests { it.requestMatchers("/auth/**").permitAll() }
.securityMatcher(authorizationServerConfigurer.endpointsMatcher).with(
authorizationServerConfigurer
) { authorizationServer ->
authorizationServer.authorizationService(
JdbcOAuth2AuthorizationService(
jdbcOperations, registeredClientRepository
)
).registeredClientRepository(registeredClientRepository(jdbcOperations)).authorizationConsentService(
JdbcOAuth2AuthorizationConsentService(
jdbcOperations, registeredClientRepository
)
)
.authorizationEndpoint {
it
}
.authorizationServerSettings(endpoints).tokenGenerator(JwtGenerator(NimbusJwtEncoder(jwkSource())))
.oidc { oidcConfigurer ->
oidcConfigurer.userInfoEndpoint { userInfoEndpointConfigurer ->
userInfoEndpointConfigurer.userInfoMapper {
logger.info(it.accessToken.tokenValue)
logger.info(it.accessToken.expiresAt?.toString())
val claims = jwtService.getAllClaims(it.accessToken.tokenValue)
OidcUserInfo(claims)
}
}
}
}
return http.build()
}
@Bean
fun registeredClientRepository(jdbcOperations: JdbcOperations): RegisteredClientRepository {
val adminClient = RegisteredClient.withId(UUID.randomUUID().toString()).clientId("admin-client")
.clientSecret(passwordEncoder.encode("secret")).clientAuthenticationMethods {
it.apply {
add(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
add(ClientAuthenticationMethod.CLIENT_SECRET_POST)
add(ClientAuthenticationMethod.PRIVATE_KEY_JWT)
add(ClientAuthenticationMethod.TLS_CLIENT_AUTH)
add(ClientAuthenticationMethod.CLIENT_SECRET_JWT)
add(ClientAuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH)
}
}.authorizationGrantTypes {
it.apply {
add(AuthorizationGrantType.CLIENT_CREDENTIALS)
add(AuthorizationGrantType.AUTHORIZATION_CODE)
add(AuthorizationGrantType.REFRESH_TOKEN)
add(AuthorizationGrantType.JWT_BEARER)
add(AuthorizationGrantType.DEVICE_CODE)
add(AuthorizationGrantType.TOKEN_EXCHANGE)
}
}.redirectUri("http://localhost:8081/new").scope(OidcScopes.OPENID).scope(OidcScopes.PROFILE)
.scope("client.create").scope("message.write")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()).build()
// adminClient already persisting in DB
return JdbcRegisteredClientRepository(jdbcOperations)
}
// Other beans (jwkSource, jwtDecoder, etc.) omitted for brevity
}
Issue
When I make a GET request to the /auth/oauth2/authorize endpoint:
GET http://localhost:8081/auth/oauth2/authorize?
response_type=code&
client_id=admin-client&
redirect_uri=http://localhost:8081/new&
scope=openid&state=abc123
I get the following response:
{
"timestamp": "2025-02-03T09:36:04.774+00:00",
"status": 404,
"error": "Not Found",
"path": "/auth/oauth2/authorize"
}
What I’ve Tried
Verified that the server is running on port 8081 and there’s no custom context path.
Ensured the redirect_uri matches the one registered in the RegisteredClient.
Checked that the /oauth2/authorize endpoint is not blocked by security configurations.
Questions
Why is the /oauth2/authorize endpoint returning a 404 Not Found error?
Are there any additional configurations or dependencies required to expose the /oauth2/authorize endpoint?
How can I debug this issue further?