Customizable Default Authentication Entry Point for Multi-Factor Authentication #18114
Description
Summary / Expected Behavior
When using @EnableGlobalMultiFactorAuthentication with Spring Security, the framework currently defaults the authentication entry point for missing factors to the one used for general exception handling (e.g., ExceptionTranslationFilter's default AuthenticationEntryPoint).
I request the ability to customize this default authentication entry point for MFA flows, similar to how the accessDeniedHandler can be customized. This would allow developers to dynamically determine the login mechanism (e.g., redirect URL) based on the current request context before the initial authentication process begins.
Detailed Use Case
I am implementing an OAuth 2.0 Authorization Code Flow where the desired initial login experience is conditional.
If the authorization request includes a specific parameter, e.g., login-mode=ott, the user should be redirected to a One-Time Token (OTT) login page.
Otherwise, the user should be redirected to the standard login form.
I attempted to use a SecurityMatcher combined with hasRole() (for the required factor) and a custom LoginUrlAuthenticationEntryPoint to handle this logic. However, this approach fails because:
The MFA factor check (for PASSWORD/OTT factors) does not result in an AccessDeniedException.
Consequently, the attribute WebAttributes.REQUIRED_FACTOR_ERRORS is not set, and the configured LoginUrlAuthenticationEntryPoint logic is bypassed, as it's not treated as an access-denied scenario that would trigger the missing factor handling.
The current design prevents a clean way to apply request-specific authentication entry point logic (like parameter checking) before the factor completion process begins.
Current Behavior
When configuring Spring Security with @EnableGlobalMultiFactorAuthentication and two factors (e.g., PASSWORD/OTT), the application:
By default, uses a single LoginUrlAuthenticationEntryPoint as the factor completion mechanism.
After initial login/authentication, it proposes using a DelegatingMissingAuthorityAccessDeniedHandler for subsequent factor checks.
This singular entry point is restrictive and lacks the necessary customization hook for dynamic flow selection.
Context
Spring Security Version: 7.0.0-SNAPSHOT (or latest stable version if applicable)
Workarounds (and why they are suboptimal)
A custom AuthenticationEntryPoint could be created that checks for the login-mode request parameter. However, this is less elegant and less declarative than leveraging a dedicated security matcher/hook tailored for default MFA entry points, which would align with the existing pattern for customizing accessDeniedHandler.