Consider logging invalid `redirect_uri` and `scope`

[sjohnr]

OAuth2AuthorizationCodeRequestAuthenticationValidator.validateRedirectUri throws OAuth2AuthorizationCodeRequestAuthenticationToken when an invalid redirect_uri is used during the authorization request.

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java

Lines 126 to 129 in 27a893f

	if (!validRedirectUri) {
	throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI,
	authorizationCodeRequestAuthentication, registeredClient);
	}

Additionally, OAuth2AuthorizationCodeRequestAuthenticationValidator.validateScope throws the same when an invalid scope is used.

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java

Lines 78 to 81 in 27a893f

	if (!requestedScopes.isEmpty() && !allowedScopes.containsAll(requestedScopes)) {
	throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE,
	authorizationCodeRequestAuthentication, registeredClient);
	}

We should consider adding a log entry at DEBUG level in OAuth2AuthorizationCodeRequestAuthenticationValidator for each of these cases. This would allow the logging level to be tuned specifically for this logging. If a user customizes the authentication validators e.g. to add custom redirect uri validation, they would be responsible for their own logging.