Add authenticationFailureHandlerSetter in Oauth2LoginConfigurer and change InvalidClientRegistrationIdException from package-private to public

Author: leewin12

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -82,6 +82,7 @@
 import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.session.SessionAuthenticationException;
@@ -417,6 +418,10 @@ public void configure(B http) throws Exception {
 			authorizationRequestFilter
 				.setAuthorizationRedirectStrategy(this.authorizationEndpointConfig.authorizationRedirectStrategy);
 		}
+		if (this.authorizationEndpointConfig.authenticationFailureHandler != null) {
+			authorizationRequestFilter
+				.setAuthenticationFailureHandler(this.authorizationEndpointConfig.authenticationFailureHandler);
+		}
 		RequestCache requestCache = http.getSharedObject(RequestCache.class);
 		if (requestCache != null) {
 			authorizationRequestFilter.setRequestCache(requestCache);
@@ -617,6 +622,8 @@ public final class AuthorizationEndpointConfig {
 
 		private RedirectStrategy authorizationRedirectStrategy;
 
+		private AuthenticationFailureHandler authenticationFailureHandler;
+
 		private AuthorizationEndpointConfig() {
 		}
 
@@ -670,6 +677,20 @@ public AuthorizationEndpointConfig authorizationRedirectStrategy(
 			return this;
 		}
 
+		/**
+		 * Sets the {@link AuthenticationFailureHandler} used to handle errors redirecting
+		 * to the Authorization Server's Authorization Endpoint.
+		 * @param authenticationFailureHandler the {@link AuthenticationFailureHandler}
+		 * used to handle errors redirecting to the Authorization Server's Authorization
+		 * Endpoint
+		 * @since 6.3
+		 */
+		public AuthorizationEndpointConfig authenticationFailureHandler(
+				AuthenticationFailureHandler authenticationFailureHandler) {
+			this.authenticationFailureHandler = authenticationFailureHandler;
+			return this;
+		}
+
 		/**
 		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
 		 * @return the {@link OAuth2LoginConfigurer}

config/src/main/kotlin/org/springframework/security/config/annotation/web/oauth2/login/AuthorizationEndpointDsl.kt

@@ -22,6 +22,7 @@ import org.springframework.security.oauth2.client.web.AuthorizationRequestReposi
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest
 import org.springframework.security.web.RedirectStrategy
+import org.springframework.security.web.authentication.AuthenticationFailureHandler
 
 /**
  * A Kotlin DSL to configure the Authorization Server's Authorization Endpoint using
@@ -40,13 +41,15 @@ class AuthorizationEndpointDsl {
     var authorizationRequestResolver: OAuth2AuthorizationRequestResolver? = null
     var authorizationRequestRepository: AuthorizationRequestRepository<OAuth2AuthorizationRequest>? = null
     var authorizationRedirectStrategy: RedirectStrategy? = null
+    var authenticationFailureHandler: AuthenticationFailureHandler? = null
 
     internal fun get(): (OAuth2LoginConfigurer<HttpSecurity>.AuthorizationEndpointConfig) -> Unit {
         return { authorizationEndpoint ->
             baseUri?.also { authorizationEndpoint.baseUri(baseUri) }
             authorizationRequestResolver?.also { authorizationEndpoint.authorizationRequestResolver(authorizationRequestResolver) }
             authorizationRequestRepository?.also { authorizationEndpoint.authorizationRequestRepository(authorizationRequestRepository) }
             authorizationRedirectStrategy?.also { authorizationEndpoint.authorizationRedirectStrategy(authorizationRedirectStrategy) }
+            authenticationFailureHandler?.also { authorizationEndpoint.authenticationFailureHandler(authenticationFailureHandler)  }
         }
     }
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java

@@ -28,6 +28,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.ArgumentCaptor;
 
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
@@ -49,6 +50,7 @@
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -68,6 +70,7 @@
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
 import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
+import org.springframework.security.oauth2.client.web.InvalidClientRegistrationIdException;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
@@ -91,6 +94,7 @@
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.context.HttpRequestResponseHolder;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
@@ -537,6 +541,23 @@ public void requestWhenOauth2LoginWithCustomLoginPageInLambdaThenRedirectCustomL
 		assertThat(this.response.getRedirectedUrl()).matches("http://localhost/custom-login");
 	}
 
+	// gh-13793
+	@Test
+	public void oauth2LoginWithCustomAuthenticationFailureHandlerThenUsedWithInvalidClientRegistrationIdException()
+			throws Exception {
+		loadConfig(OAuth2LoginConfigCustomAuthenticationFailureHandler.class);
+		AuthenticationFailureHandler authenticationFailureHandler = this.context
+			.getBean(OAuth2LoginConfigCustomAuthenticationFailureHandler.class).authenticationFailureHandler;
+		String requestUri = "/oauth2/authorization/invalid-client-registration-id";
+		this.request = new MockHttpServletRequest("GET", requestUri);
+		this.request.setServletPath(requestUri);
+		this.springSecurityFilterChain.doFilter(this.request, this.response, this.filterChain);
+
+		ArgumentCaptor<AuthenticationException> capture = ArgumentCaptor.forClass(AuthenticationException.class);
+		then(authenticationFailureHandler).should().onAuthenticationFailure(any(), any(), capture.capture());
+		assertThat(capture.getValue()).hasCauseInstanceOf(InvalidClientRegistrationIdException.class);
+	}
+
 	@Test
 	public void oidcLogin() throws Exception {
 		// setup application context
@@ -1069,6 +1090,29 @@ SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class OAuth2LoginConfigCustomAuthenticationFailureHandler extends CommonSecurityFilterChainConfig {
+
+		AuthenticationFailureHandler authenticationFailureHandler = mock(AuthenticationFailureHandler.class);
+
+		@Bean
+		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.oauth2Login()
+					.clientRegistrationRepository(
+							new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION))
+					.authorizationEndpoint((authorizationEndpoint) ->
+							authorizationEndpoint
+									.authenticationFailureHandler(this.authenticationFailureHandler)
+					);
+			// @formatter:on
+			return super.configureFilterChain(http);
+		}
+
+	}
+
 	@Configuration
 	@EnableWebSecurity
 	static class OAuth2LoginConfigWithOidcLogoutSuccessHandler extends CommonSecurityFilterChainConfig {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/InvalidClientRegistrationIdException.java

@@ -20,7 +20,7 @@
  * @author Steve Riesenberg
  * @since 5.8
  */
-class InvalidClientRegistrationIdException extends IllegalArgumentException {
+public class InvalidClientRegistrationIdException extends IllegalArgumentException {
 
 	/**
 	 * @param message the exception message