Spring Authorization Server returning HTTP 401 for /oauth2/authorize endpoint with response_type=code

[tomotoyinbo]

Hello Spring Team,

I'm setting up a Spring Authorization Server with Spring boot starter Security 3.4.1 and spring-boot-starter-oauth2-authorization-server 3.4.1. While the server generally starts without errors, I’m getting an HTTP 401 whenever I try to access the /oauth2/authorize endpoint with response_type=code (i.e., the Authorization Code flow). Below are details of my configuration and the logs from a failed request. Any guidance on what might be missing or misconfigured is greatly appreciated.

Link to public Github sample project to reproduce: https://github.com/tomotoyinbo/sample-auth-server
Java Version: 22
build tool: Maven

Below is an example Postman / cURL request:
curl -i -X GET
"http://localhost:8080/oauth2/authorize?response_type=code&client_id=demo-client&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/demo-client&scope=openid profile"

Response:
HTTP/1.1 401
WWW-Authenticate: Bearer
{
"error": "Unauthorized"
}

I enabled debug logs for org.springframework.security and org.springframework.security.oauth2:
logging:
level:
org.springframework.security: DEBUG
org.springframework.security.oauth2: DEBUG

Log Snippet:

2025-01-09T06:13:02.200-08:00  INFO 17686 --- [sample-auth-server] [nio-8090-exec-1] o.a.c.c.C.[.[localhost].[/sample]        : Initializing Spring DispatcherServlet 'dispatcherServlet'
2025-01-09T06:13:02.200-08:00  INFO 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2025-01-09T06:13:02.201-08:00  INFO 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 0 ms
2025-01-09T06:13:02.211-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /oauth2/authorize?response_type=code&client_id=demo-client&scope=openid%20profile&redirect_uri=http://127.0.0.1:8090/sample/login/oauth2/code/demo-client
2025-01-09T06:13:02.222-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2025-01-09T06:13:02.233-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8090/sample/oauth2/authorize?response_type=code&client_id=demo-client&scope=openid%20profile&redirect_uri=http://127.0.0.1:8090/sample/login/oauth2/code/demo-client&continue to session
2025-01-09T06:13:02.233-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using Or [Ant [pattern='/oauth2/token', POST], Ant [pattern='/oauth2/introspect', POST], Ant [pattern='/oauth2/revoke', POST], Ant [pattern='/oauth2/device_authorization', POST]]
2025-01-09T06:13:02.234-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]
2025-01-09T06:13:02.235-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using Or [org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@65cc5252, RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest], And [Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[text/html], useEquals=false, ignoredMediaTypes=[]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[application/atom+xml, application/x-www-form-urlencoded, application/json, application/octet-stream, application/xml, multipart/form-data, text/xml], useEquals=false, ignoredMediaTypes=[*/*]]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@6c368f1a, matchingMediaTypes=[*/*], useEquals=true, ignoredMediaTypes=[]]]
2025-01-09T06:13:02.235-08:00 DEBUG 17686 --- [sample-auth-server] [nio-8090-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint@1151d54b

Observations / Questions:

1. 401 Instead of 302: I’d expect a 302 redirect to the login form. Instead, I get 401.

2. Am I missing something in my HttpSecurity setup?

3. Endpoints Matcher: Confirmed that authorizationServerConfigurer.getEndpointsMatcher() should include /oauth2/authorize. Possibly it’s not recognized, or the flow is expecting a user session in a different chain.

4. Multiple Chains?: I tried to keep everything in one chain for the Authorization Server. Could that cause confusion with user login?

Any insight into why /oauth2/authorize returns 401—and how to properly redirect to the login form for Authorization Code—would be greatly appreciated.

Thanks in advance!