According to my research doing the pkce authorization code flow the authorize endpoint is called first, then you login, then you get your token. Some providers such as microsoft allow you to combine /authorize and /login, but it seems that authorization server requires that you either login first, or combine them.
I'm going to reference other vendor documentation here
The reason I believe what I'm saying is true is because my code is terminating at this method which does not allow for unauthenticated or anonymous users. However, my understanding of the flow at this point is that user authentication should be optional here.
I'm making this feature request since my goal is to mimic Auth0 so that my CI doesn't need the internet, and that I could also develop locally without the internet, or attachment to a single service provider.
According to my research doing the pkce authorization code flow the authorize endpoint is called first, then you login, then you get your token. Some providers such as microsoft allow you to combine /authorize and /login, but it seems that authorization server requires that you either login first, or combine them.
I'm going to reference other vendor documentation here
The reason I believe what I'm saying is true is because my code is terminating at this method which does not allow for unauthenticated or anonymous users. However, my understanding of the flow at this point is that user authentication should be optional here.
https://github.com/spring-projects/spring-authorization-server/blob/af5284974a699d1acff775a2f8b1f6a3b474c71d/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java#L156
I'm making this feature request since my goal is to mimic Auth0 so that my CI doesn't need the internet, and that I could also develop locally without the internet, or attachment to a single service provider.
my code at this time