ERR_TOO_MANY_REDIRECTS. State parameter not saved in database when oauth2 authorization server issues an authorization code to a client

[lorenzoAgainAgainAgain]

Bug description
I'm not redirected to the client server homepage after I'm successfully authenticated and authorized by the authorization server. More details at Projects behaviour.

To Reproduce
I have implemented an authorization server very similar to the one provided by Spring Documentation, with the following variations:

1. Maven instead of gradle, as project builder

2. JRE: jdk1.8.0_xxx

3. Spring Boot 2.7.12 , Spring Security 5.7.8 , Spring Security oauth2 authorization server 0.4.2 ,

4. a sql server database to store user's credentials. Here I also implemented the 3 oauth2 tables that, in the Spring demo, are located in an embedded h2 database,

5. a custom UserDetailsService instead of an InMemoryUserDetailsManager:

   @Service
   public class CustomUserDetailsService implements UserDetailsService {
   
       @Autowired
       UserRepository userRepository;
   
       @Override
       @Transactional
       public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
       	Optional<User> user = userRepository.findByEmail(email);
          
       	User u = user.orElseThrow(() ->
           new UsernameNotFoundException("User not found with email : " + email));
       	
           return SecurityUser.create(u);
       }
   
   }
   

   Here the SecurityUser class:

   public class SecurityUser implements OAuth2User, UserDetails {
   	
   	@Id
   	@GeneratedValue(strategy = GenerationType.IDENTITY)
   	private Long id;    
   	private String username;   
   	private String password;   
   	private Collection<? extends GrantedAuthority> authorities; 
   	private Map<String, Object> attributes;
   
   	public SecurityUser() {}
   	
       public SecurityUser(Long id, String email, String password, Collection<? extends GrantedAuthority> authorities) {
           this.id = id;
           this.username = email;
           this.password = password;
           this.authorities = authorities;
       }
   
       public static SecurityUser create(User user) {
         List<GrantedAuthority> authorities = Collections.
         singletonList(new SimpleGrantedAuthority("ROLE_USER"));
           return new SecurityUser(
                   user.getUser_id(),
                   user.getEmail(),
                   user.getPwd(),
                   authorities
           );
       }
   
       public static SecurityUser create(User user, Map<String, Object> attributes) {
           SecurityUser userPrincipal = SecurityUser.create(user);
           userPrincipal.setAttributes(attributes);
   
           return userPrincipal;
       }
   
   // getters and setters
     
       @Override
       public String toString() {
         return new StringJoiner(", ", SecurityUser.class.getSimpleName() + "[", "]")
             .add("id='" + id + "'")
             .add("username='" + username + "'")
             .add("authorities='" + authorities + "'")
             .add("attributes='" + attributes + "'")
             .toString();
       }
   }
   

   Here the SecurityUserMixin class (needed at point n. 7):

   @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
   @JsonDeserialize
   @JsonAutoDetect(
           fieldVisibility = JsonAutoDetect.Visibility.ANY,
           getterVisibility = JsonAutoDetect.Visibility.NONE,
           isGetterVisibility = JsonAutoDetect.Visibility.NONE)
   @JsonIgnoreProperties(ignoreUnknown = true)
   public class SecurityUserMixin {
     
   	@JsonProperty
   	private Long id;    
     	@JsonProperty
   	private String username;  
     	@JsonIgnore 
     	private String password;
     	@JsonIgnore 
     	private String name;
   	@JsonProperty
   	private Collection<? extends GrantedAuthority> authorities; 
     	@JsonProperty
   	private Map<String, Object> attributes;
     	
     	 @JsonCreator
     	 public SecurityUserMixin(@JsonProperty("id") Long id, 
     			@JsonProperty("username") String username,
     			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
     			@JsonProperty("attributes") Map<String, Object> attributes) {}
   
   
   // getters and setters
     			
   }
   

6. I removed the device flow authentication's logic (as I downgraded the authorization server's version to 0.4.2) from the AuthorizationServerConfig class:

   @Bean  
   @Order(Ordered.HIGHEST_PRECEDENCE)
   public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
       	
           OAuth2AuthorizationServerConfigurer authzServerConfigurer = new OAuth2AuthorizationServerConfigurer();
           
           RequestMatcher endpointsMatcher = authzServerConfigurer.getEndpointsMatcher();
           
   		Function<OidcUserInfoAuthenticationContext, OidcUserInfo> userInfoMapper = (context) -> { 
   			OidcUserInfoAuthenticationToken authentication = context.getAuthentication();
   			JwtAuthenticationToken principal = (JwtAuthenticationToken) authentication.getPrincipal();
   			return new OidcUserInfo(principal.getToken().getClaims());
   		};
   
           authzServerConfigurer
           	.authorizationEndpoint(authzEndpoint -> authzEndpoint
                   .consentPage(CUSTOM_CONSENT_PAGE_URI))
           	.oidc(oidc -> oidc
           			.userInfoEndpoint(userInfo -> userInfo
           					.userInfoMapper(userInfoMapper)
   						)
   		);
   		
   		http
   			.requestMatcher(endpointsMatcher)
   			.authorizeHttpRequests((authorize) -> authorize
   				.antMatchers(CUSTOM_LOGIN_PAGE_URI).permitAll()
   				.anyRequest().authenticated()
   			)
   			.csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
   			.exceptionHandling(exceptions -> exceptions
   				.defaultAuthenticationEntryPointFor(
   					new LoginUrlAuthenticationEntryPoint(CUSTOM_LOGIN_PAGE_URI),
   					new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
   				)
   			)
   			.oauth2ResourceServer(resourceServer -> resourceServer
   				.jwt(Customizer.withDefaults()) 
   			)
   		.apply(authzServerConfigurer); 
           
   		return http.build();
   	}
   

   As result (and since I applied my own OAuth2TokenCustomizer method), these classes are not included in my project anymore:

   • FederatedIdentityIdTokenCustomizer

   • UserRepositoryOauth2UserHandler

   • DeviceClientAuthenticationProvider

   • DeviceClientAuthenticationToken

   • DeviceController

   • DeviceClientAuthenticationConverter

7. I modified the Oauth2AuthorizationService method since I had to resolve the issue n. 397:

   	@Bean
       public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate,
                                                              RegisteredClientRepository registeredClientRepository) {
           JdbcOAuth2AuthorizationService authorizationService =
                   new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
           JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper =
                   new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
           JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper oAuth2AuthorizationParametersMapper =
                   new JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper();
   
           ObjectMapper objectMapper = new ObjectMapper();
           ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader();
           List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
           objectMapper.registerModules(securityModules);
           objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
           objectMapper.addMixIn(SecurityUser.class, SecurityUserMixin.class);
   
           rowMapper.setObjectMapper(objectMapper);
           oAuth2AuthorizationParametersMapper.setObjectMapper(objectMapper);
   
           authorizationService.setAuthorizationRowMapper(rowMapper);
           authorizationService.setAuthorizationParametersMapper(oAuth2AuthorizationParametersMapper);
   
           return authorizationService;
           // replace:
   //        return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
       }
   

All other classes of the authorization not mentioned are left unchanged from Spring's ones.

Then I implemented a resource server (built with Maven) and a client server (built with Gradle). Both are very similar to those of Spring, but, in the client, I remove device flow authentication logic.

To implement the 3 oauth2 tables I used the default sql scripts for this authorization server version, but I replaced every blob type column with varchar and every timestamp type column with datetime.

To build the authorization server and the resource server I used this maven build command: spring-boot:run.

Projects behaviour and error:

All 3 projects build up correctly, and the registered client configured in my authorization server is saved in the oauth2_registered_client table.

Via browser, I try to access the client server homepage and I'm (correctly) redirected to the authorization server. Here I authenticate with the credentials of a previously registered user, and I'm redirected to the consent page. If I check the database queries in the project logs I see an INSERT INTO oauth2_authorization table query, with a state value, but, if I check the table on the database, no records are available.

In the consent page, the only consent available is profile and after I select that and submit the form, the authorization server goes in a loop where it continues to issue new authorization codes, one every second, and on the browser I get the ERR_TOO_MANY_REDIRECTS error.

In the project's logs (logging.level.org.springframework.security: TRACE) I see no errors: after the GET and POST /oauth2/authorize, the POST oauth2/token, the GET /oauth2/jwks and the GET /userinfo requests, the projects starts again to secure the GET /oauth2/authorize with a different authorization code (and state value!) from the same previous GET.

On the network tab on DevTools, I see some redirects to ...login/code/messaging-client-oidc with different authorization codes and state values, I stop the loading of the page (as I know that would generate the error I mentioned), and if I check the oauth2_authorization table on my database I see a bunch of records with different authorization codes but everyone with a NULL state.

However, If I try to reach one of my resource server endpoints via Postman, the authentication and authorization flow works and I get an access_token after I select the consents required. But still, no state value is saved in the record on the oauth2_authorization table.

Apart from this, if I stopped my authorization server and I plug the Spring one, the authorization flow works perfectly and I'm redirect to the client homepage as expected.

Expected behavior
After I select the profile consent via browser, I should be redirected to the client server homepage, and I should only have one record on the oauth2_authorization table with a valid state value.

[lorenzoAgainAgainAgain]

I know it's not the place to make this type of questions (I already made a post on StackOverflow), but I leave them here to further clarify what my problem is.
To sum up:

1. Can someone explain why, if I use the authorization server provided by Spring instead of my custom authorization server everything seems to work correctly, as I get redirect to the client after the login and the consent selection?
2. Did I miss something downgrading the authorization server project to a version of oauth2-authorization-server dependency without the device flow authentication? Beside this change and my own token customizer, I only used a sql server database instead of an embedded database, so I don't get why the authorization flow is not working just with my custom authorization server.
3. In which class does the authorization server provided by Spring explictly save the state parameter in the oauth2_authorization table? Could it be in the AuthorizationConsentController?
4. Could someone please explain how does the "state" and "nonce" checking work in the oauth2 authorization code flow or suggest me where I can find understandable documentation ?

Please, note that citation of sources for each of the answers is very welcome.

[lorenzoAgainAgainAgain]

Sorry, I saw n. 1314 issue comment you guys made about not cross-post between StackOverflow and GitHub.
If someone has already seen that post, please feel free to close this issue and answer right there.
Sorry again but I'm still new to Github so I'm not familiar on what the terms of use are.

[zhangpan-soft]

I have also created a dead cycle, but I have solved it, and I believe you should have the same problem as me.
In the demo-authorization-server, it defines a UserDetailService in the DefaultSecurityConfig. Therefore, if you redefine another UserDetailService in the AuthorizationServerConfig or elsewhere, you will encounter a life and death loop, infinite redirection problem, because there are two similar authentications, which actually makes the authentication unsuccessful Therefore, if you need to customize UserDetailService, please remove the DefaultSecurityConfig first

[lorenzoAgainAgainAgain]

@zhangpan-soft In my case, the problem was different: the access token generated by my authorization server had a "sub" claim value different from the "sub" claim of the id token, as suggested by @sjohnr . After I changed the id token customizer, to make the "sub" claim values match between the 2 tokens, the problem was solved.
For more details on the error I refer you to this comment.