The default/demo-authorizationserver samples have a redirect loop

[marcgemis]

Describe the bug
I have tried the both samples with 3 different browsers (Chrome, Safari, Firefox) on Mac OS 15.3.1. In both all cases, as soon as I submit the consent the browsers complain about incorrect redirects

To Reproduce

• Start the samples as described on GitHub
• Browse to http://localhost:8080 (or 4200 for the Angular example)
• Login in with user1 \ password
• Give consent (this step is even not possible in Chrome. No mouse and keyboard interaction is possible)
• Press submit
• The browsers complains about incorrect redirects

In the logs I see
`> Task :samples-demo-authorizationserver:bootRun

. ____ _ __ _ _
/\ / ' __ _ () __ __ _ \ \ \
( ( )__ | '_ | '| | ' / ` | \ \ \
\/ )| |)| | | | | || (| | ) ) ) )
' || .__|| ||| |_, | / / / /
=========||==============|/=////
:: Spring Boot :: (v3.2.2)

2025-02-24T07:59:34.868+01:00 INFO 21542 --- [ main] s.DemoAuthorizationServerApplication : Starting DemoAuthorizationServerApplication using Java 17.0.10 with PID 21542 (/Users/mgemis/Projects/p4/awp/prepress/archive/experiments/spring-authorization-server-main/samples/demo-authorizationserver/build/classes/java/main started by mgemis in /Users/mgemis/Projects/p4/awp/prepress/archive/experiments/spring-authorization-server-main/samples/demo-authorizationserver)
2025-02-24T07:59:34.870+01:00 INFO 21542 --- [ main] s.DemoAuthorizationServerApplication : No active profile set, falling back to 1 default profile: "default"
2025-02-24T07:59:35.495+01:00 INFO 21542 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with ports 9443 (https), 9000 (http)
2025-02-24T07:59:35.502+01:00 INFO 21542 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2025-02-24T07:59:35.502+01:00 INFO 21542 --- [ main] o.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/10.1.18]
2025-02-24T07:59:35.526+01:00 INFO 21542 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2025-02-24T07:59:35.527+01:00 INFO 21542 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 638 ms
2025-02-24T07:59:35.555+01:00 INFO 21542 --- [ main] o.s.j.d.e.EmbeddedDatabaseFactory : Starting embedded database: url='jdbc:h2:mem:029a7b9a-f93e-440f-9c49-0037b56005aa;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=false', username='sa'
2025-02-24T07:59:35.730+01:00 WARN 21542 --- [ main] o.s.security.core.userdetails.User : User.withDefaultPasswordEncoder() is considered unsafe for production and is only intended for sample applications.
2025-02-24T07:59:35.822+01:00 INFO 21542 --- [ main] r$InitializeUserDetailsManagerConfigurer : Global AuthenticationManager configured with UserDetailsService bean with name users
2025-02-24T07:59:36.478+01:00 WARN 21542 --- [ main] org.apache.tomcat.util.net.SSLUtilBase : The JSSE TLS 1.3 implementation does not support post handshake authentication (PHA) and is therefore incompatible with optional certificate authentication
2025-02-24T07:59:36.588+01:00 INFO 21542 --- [ main] o.a.t.util.net.NioEndpoint.certificate : Connector [https-jsse-nio-9443], TLS virtual host [default], certificate type [UNDEFINED] configured from keystore [/Users/mgemis/.keystore] using alias [demo-authorizationserver-sample] with trust store [null]
2025-02-24T07:59:36.595+01:00 INFO 21542 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on ports 9443 (https), 9000 (http) with context path ''
2025-02-24T07:59:36.601+01:00 INFO 21542 --- [ main] s.DemoAuthorizationServerApplication : Started DemoAuthorizationServerApplication in 1.897 seconds (process running for 2.058)
2025-02-24T07:59:57.974+01:00 INFO 21542 --- [nio-9000-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2025-02-24T07:59:57.974+01:00 INFO 21542 --- [nio-9000-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2025-02-24T07:59:57.975+01:00 INFO 21542 --- [nio-9000-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2025-02-24T08:06:37.194+01:00 ERROR 21542 --- [nio-9000-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Filter execution threw an exception] with root cause

java.lang.NoSuchFieldError: DPOP
at org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2EndpointUtils.validateAndAddDPoPParametersIfAvailable(OAuth2EndpointUtils.java:111) ~[spring-security-oauth2-authorization-server-1.5.0-SNAPSHOT.jar:1.5.0-SNAPSHOT]
at org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter.convert(OAuth2AuthorizationCodeAuthenticationConverter.java:87) ~[spring-security-oauth2-authorization-server-1.5.0-SNAPSHOT.jar:1.5.0-SNAPSHOT]
at org.springframework.security.web.authentication.DelegatingAuthenticationConverter.convert(DelegatingAuthenticationConverter.java:51) ~[spring-security-web-6.3.7.jar:6.3.7]
`

and

`> Task :samples-demo-client:bootRun

. ____ _ __ _ _
/\ / ' __ _ () __ __ _ \ \ \
( ( )__ | '_ | '| | ' / ` | \ \ \
\/ )| |)| | | | | || (| | ) ) ) )
' || .__|| ||| |_, | / / / /
=========||==============|/=////
:: Spring Boot :: (v3.2.2)

2025-02-24T07:59:57.100+01:00 INFO 21604 --- [ main] sample.DemoClientApplication : Starting DemoClientApplication using Java 17.0.10 with PID 21604 (/Users/mgemis/Projects/p4/awp/prepress/archive/experiments/spring-authorization-server-main/samples/demo-client/build/classes/java/main started by mgemis in /Users/mgemis/Projects/p4/awp/prepress/archive/experiments/spring-authorization-server-main/samples/demo-client)
2025-02-24T07:59:57.102+01:00 INFO 21604 --- [ main] sample.DemoClientApplication : No active profile set, falling back to 1 default profile: "default"
2025-02-24T07:59:57.843+01:00 INFO 21604 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port 8080 (http)
2025-02-24T07:59:57.848+01:00 INFO 21604 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2025-02-24T07:59:57.848+01:00 INFO 21604 --- [ main] o.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/10.1.18]
2025-02-24T07:59:57.875+01:00 INFO 21604 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2025-02-24T07:59:57.875+01:00 INFO 21604 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 756 ms
2025-02-24T07:59:58.480+01:00 INFO 21604 --- [ main] o.s.b.a.w.s.WelcomePageHandlerMapping : Adding welcome page template: index
2025-02-24T07:59:58.615+01:00 WARN 21604 --- [ main] o.s.s.c.a.web.builders.WebSecurity : You are asking Spring Security to ignore Deferred [Mvc [pattern='/webjars/'], Ant [pattern='/webjars/']]. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2025-02-24T07:59:58.615+01:00 WARN 21604 --- [ main] o.s.s.c.a.web.builders.WebSecurity : You are asking Spring Security to ignore Deferred [Mvc [pattern='/assets/'], Ant [pattern='/assets/']]. This is not recommended -- please use permitAll via HttpSecurity#authorizeHttpRequests instead.
2025-02-24T07:59:58.707+01:00 INFO 21604 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port 8080 (http) with context path ''
2025-02-24T07:59:58.712+01:00 INFO 21604 --- [ main] sample.DemoClientApplication : Started DemoClientApplication in 1.787 seconds (process running for 1.948)
2025-02-24T08:00:26.906+01:00 INFO 21604 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2025-02-24T08:00:26.906+01:00 INFO 21604 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2025-02-24T08:00:26.907+01:00 INFO 21604 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms
2025-02-24T08:06:37.199+01:00 ERROR 21604 --- [nio-8080-exec-8] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

java.lang.IllegalArgumentException: The authorization server responded to this Authorization Code grant request with an empty body; as such, it cannot be materialized into an OAuth2AccessTokenResponse instance. Please check the HTTP response code in your server logs for more details.
at org.springframework.util.Assert.notNull(Assert.java:172) ~[spring-core-6.1.3.jar:6.1.3]
at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:85) ~[spring-security-oauth2-client-6.3.7.jar:6.3.7]
at org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(DefaultAuthorizationCodeTokenResponseClient.java:56) ~[spring-security-oauth2-client-6.3.7.jar:6.3.7]`

Expected behavior
The examples should work as advertised.

[jpogorzelski]

I bumped on this issue as well. I found out that this is the commit that broke the samples
You can also see that this is related to the error in the stacktrace:

java.lang.NoSuchFieldError: DPOP
at org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2EndpointUtils.validateAndAddDPoPParametersIfAvailable(OAuth2EndpointUtils.java:111)

Not sure yet if the issue is with the sample or with Spring Authorization Server itself.
@jgrandja could you check this out as you've more knowledge on the topic since you've implemented RFC 9449 support

[jgrandja]

@marcgemis @jpogorzelski Thank you for reporting this. I just pushed the fix via d32c185