another cxf workard for authorization_code flow (oauth2-require-user-to-start-authorization_code-flow)
diff --git a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java
index 15bdd57..97844a0 100644
--- a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java
+++ b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java
@@ -34,6 +34,9 @@
     @CliOption(name = "oauth2-use-all-client-scopes", description = "Are all client scopes used for refresh tokens")
     private boolean useAllClientScopes;
 
+    @CliOption(name = "oauth2-require-user-to-start-authorization_code-flow", description = "Should the authorization_code flow require an authenicated user.")
+    private boolean requireUserToStartAuthorizationCodeFlow;
+
     @CliOption(name = "oauth2-use-s256-code-challenge", description = "Are the code_challenge used by PKCE flow digested or not.")
     private boolean useS256CodeChallenge = true;
 
@@ -178,6 +181,14 @@
     @CliOption(name = "oauth2-redirection-scopes-requiring-no-consent", description = "For authorization code flow, the scopes using no consent")
     private String scopesRequiringNoConsent;
 
+    public boolean isRequireUserToStartAuthorizationCodeFlow() {
+        return requireUserToStartAuthorizationCodeFlow;
+    }
+
+    public void setRequireUserToStartAuthorizationCodeFlow(final boolean requireUserToStartAuthorizationCodeFlow) {
+        this.requireUserToStartAuthorizationCodeFlow = requireUserToStartAuthorizationCodeFlow;
+    }
+
     public boolean isUseS256CodeChallenge() {
         return useS256CodeChallenge;
     }
diff --git a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java
index f8a2e76..7cd2582 100644
--- a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java
+++ b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java
@@ -19,9 +19,13 @@
 package org.apache.meecrowave.oauth2.resource;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeResponseFilter;
+import org.apache.cxf.rs.security.oauth2.provider.AuthorizationRequestFilter;
 import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
 import org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.meecrowave.oauth2.configuration.OAuth2Configurer;
 
@@ -88,11 +92,35 @@
     @Vetoed
     public static class LazyImpl extends AuthorizationCodeGrantService {
         private OAuth2Configurer configurer;
+        private AuthorizationRequestFilter filter;
 
         public void setConfigurer(final OAuth2Configurer configurer) {
             this.configurer = configurer;
         }
 
+        public void setAuthorizationFilter(final AuthorizationRequestFilter authorizationFilter) {
+            this.filter = authorizationFilter;
+            super.setAuthorizationFilter(authorizationFilter);
+        }
+
+
+        @Override // https://issues.apache.org/jira/browse/CXF-8370
+        protected Response startAuthorization(MultivaluedMap<String, String> params) {
+            final SecurityContext sc;
+            if (configurer.getConfiguration().isRequireUserToStartAuthorizationCodeFlow()) {
+                sc = getAndValidateSecurityContext(params);
+            } else {
+                sc = null;
+            }
+            final Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID), params);
+            final UserSubject userSubject = createUserSubject(sc, params);
+            if (filter != null) {
+                params = filter.process(params, userSubject, client);
+            }
+            final String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI));
+            return startAuthorization(params, userSubject, client, redirectUri);
+        }
+
         @Override
         protected UserSubject createUserSubject(final SecurityContext securityContext,
                                                 final MultivaluedMap<String, String> params) {
@@ -101,6 +129,9 @@
             if (subject != null) {
                 return subject;
             }
+            if (securityContext == null) {
+                return null;
+            }
             final Principal principal = securityContext.getUserPrincipal();
             return configurer.doCreateUserSubject(principal);
         }