This commit fixes the infinite redirect, somewhat. See updated issue #8.

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java

@@ -34,7 +34,7 @@ public class OAuthConfirmationController {
 		this.clientService = clientService;
 	}
 	
-	@PreAuthorize("hasRole('ROLE_USER')")
+	//@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping("/oauth/confirm_access")
 	public ModelAndView confimAccess(@ModelAttribute AuthorizationRequest clientAuth, 
 			ModelAndView modelAndView) {

openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml

@@ -54,7 +54,9 @@
 	<oauth:authorization-server client-details-service-ref="defaultOAuth2ClientDetailsEntityService" 
 		token-services-ref="defaultOAuth2ProviderTokenService" token-granter-ref="connectAuthCodeTokenGranter"
 		user-approval-handler-ref="userApprovalHandler"
-		authorization-endpoint-url="/openidconnect/auth" token-endpoint-url="/openidconnect/token">
+		authorization-endpoint-url="/openidconnect/auth" token-endpoint-url="/openidconnect/token"
+		user-approval-page="redirect:/oauth/confirm_access"
+		>
 		<oauth:authorization-code authorization-code-services-ref="authCodeServices" />
 	</oauth:authorization-server>
 

openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml

@@ -23,7 +23,8 @@
 
 	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="springSecurityAuthenticationManager"/>
 
-	<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" 
+<!-- 4/11 AANGANES trying:remove "create-session="stateless"" from below statement -->
+	<http pattern="/oauth/token" authentication-manager-ref="clientAuthenticationManager" 
 		xmlns="http://www.springframework.org/schema/security">
 		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
 		<anonymous enabled="false" />