Customizable OAuth2AuthorizationCodeGrantFilter

[joaquinjsb]

Expected Behavior

when the filter succeeds, the user should be able to customize the behavior.

Current Behavior

when the OAuth2AuthorizationCodeGrantFilter succeeds or fails, the DefaultRedirectStrategy is used for both success or failure.

I think a classic successHandler / failureHandler would be ideal.

Spring Security 7.1 M3

[bkoragan]

@jgrandja
I looked into this and agree that the filter should support customizable success/failure handling.

Currently processAuthorizationResponse() hardcodes both paths using a final DefaultRedirectStrategy with no setter. Other filters in the codebase already support handler customization (OAuth2LoginAuthenticationFilter inherits handlers from AbstractAuthenticationProcessingFilter,OAuth2AuthorizationRequestRedirectFilter has setAuthenticationFailureHandler()), so this filter is the odd one out..

Proposed approach:

• Add AuthenticationSuccessHandler and AuthenticationFailureHandler fields with setter methods
• Default handlers preserve the current redirect behavior exactly, so it's non-breaking
• Expose both on OAuth2ClientConfigurer for DSL configuration
• Not changing the filter's superclass - keepingOncePerRequestFilter to avoid breaking changes..

This enable use cases like custom redirects after success, error page rendering on failure, and logging/auditing of authorization exchanges..

I can open/submit a PR if this approach aligns with your thoughts?