Define a dedicated `AuthenticationSuccessHandler` for the `OAuth2AuthorizationEndpointFilter`

[yuezk]

spring-security/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

Lines 349 to 364 in 9126aaf

	private void sendAuthorizationResponse(HttpServletRequest request, HttpServletResponse response,
	Authentication authentication) throws IOException {
	OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
	UriComponentsBuilder uriBuilder = UriComponentsBuilder
	.fromUriString(authorizationCodeRequestAuthentication.getRedirectUri())
	.queryParam(OAuth2ParameterNames.CODE,
	authorizationCodeRequestAuthentication.getAuthorizationCode().getTokenValue());
	if (StringUtils.hasText(authorizationCodeRequestAuthentication.getState())) {
	uriBuilder.queryParam(OAuth2ParameterNames.STATE,
	UriUtils.encode(authorizationCodeRequestAuthentication.getState(), StandardCharsets.UTF_8));
	}
	// build(true) -> Components are explicitly encoded
	String redirectUri = uriBuilder.build(true).toUriString();
	this.redirectStrategy.sendRedirect(request, response, redirectUri);
	}

Currently, the OAuth2AuthorizationEndpointFilter uses a default private method to handle successful authentication, primarily for response writing. If we want to hook into the success event before the response is written, we have to provide a custom AuthenticationSuccessHandler bean. This works, but we have to duplicate the response writing logic, which is not ideal.

Another approach is to register an AuthenticationSuccessEvent listener and check for the specific authentication type. However, this is less straightforward, and the code flow becomes harder to follow.

By defining a dedicated AuthenticationSuccessHandler for the authorization endpoint filter, we can allow users to reuse the existing response writing logic while still being able to hook into the success event. This would improve extensibility and reduce code duplication.

See also: the OAuth2TokenEndpointFilter has a dedicated handler for the success case: OAuth2AccessTokenResponseAuthenticationSuccessHandler.