From 1d02af11a84eb5d7d70952cbf255c86ecca73ed8 Mon Sep 17 00:00:00 2001
From: yybmion <yunyubin54@gmail.com>
Date: Thu, 3 Apr 2025 15:30:08 +0900
Subject: [PATCH] Add default redirect URI for OAuth2 client registration

When redirect URI is not provided for an OAuth2 client registration with
authorization code grant type, default it to {baseUrl}/login/oauth2/code/{registrationId}.

Closes gh-16377

Signed-off-by: yybmion <yunyubin54@gmail.com>
---
 .../registration/ClientRegistration.java      |  9 ++++++
 .../registration/ClientRegistrationTests.java | 32 +++++++++----------
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
index b492a6d8015..49e048e8808 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java
@@ -476,6 +476,11 @@ public Builder authorizationGrantType(AuthorizationGrantType authorizationGrantT
 		 * Configuring uri template variables is especially useful when the client is
 		 * running behind a Proxy Server. This ensures that the X-Forwarded-* headers are
 		 * used when expanding the redirect-uri.
+		 *
+		 * <br />
+		 * If not specified and authorization grant type is
+		 * {@link AuthorizationGrantType#AUTHORIZATION_CODE}, defaults to
+		 * "{baseUrl}/login/oauth2/code/{registrationId}".
 		 * @param redirectUri the uri (or uri template) for the redirection endpoint
 		 * @return the {@link Builder}
 		 * @since 5.4
@@ -627,6 +632,10 @@ public Builder clientSettings(ClientSettings clientSettings) {
 		 */
 		public ClientRegistration build() {
 			Assert.notNull(this.authorizationGrantType, "authorizationGrantType cannot be null");
+			if (this.redirectUri == null && this.registrationId != null
+					&& AuthorizationGrantType.AUTHORIZATION_CODE.equals(this.authorizationGrantType)) {
+				this.redirectUri = "{baseUrl}/login/oauth2/code/" + this.registrationId;
+			}
 			if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType)) {
 				this.validateClientCredentialsGrantType();
 			}
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java
index 9dbcbd5a5c8..1bdfd707d5a 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -258,24 +258,22 @@ public void buildWhenAuthorizationCodeGrantClientAuthenticationMethodNotProvided
 	}
 
 	@Test
-	public void buildWhenAuthorizationCodeGrantRedirectUriIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() ->
+	public void buildWhenAuthorizationCodeGrantRedirectUriIsNullThenDefaultsToLoginOAuth2Code() {
 		// @formatter:off
-			ClientRegistration.withRegistrationId(REGISTRATION_ID)
-					.clientId(CLIENT_ID)
-					.clientSecret(CLIENT_SECRET)
-					.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
-					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
-					.redirectUri(null)
-					.scope(SCOPES.toArray(new String[0]))
-					.authorizationUri(AUTHORIZATION_URI)
-					.tokenUri(TOKEN_URI)
-					.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-					.jwkSetUri(JWK_SET_URI)
-					.clientName(CLIENT_NAME)
-					.build()
+		ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
+				.clientId(CLIENT_ID)
+				.clientSecret(CLIENT_SECRET)
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+				.scope(SCOPES.toArray(new String[0]))
+				.authorizationUri(AUTHORIZATION_URI)
+				.tokenUri(TOKEN_URI)
+				.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
+				.jwkSetUri(JWK_SET_URI)
+				.clientName(CLIENT_NAME)
+				.build();
 		// @formatter:on
-		);
+		assertThat(registration.getRedirectUri()).isEqualTo("{baseUrl}/login/oauth2/code/" + REGISTRATION_ID);
 	}
 
 	// gh-5494