Merge updates for Boot 3.4.0 (#235)

Ease OAuth2 clients response status for unauthorized requests (return
401 in case of single page or mobile frontends).

Enable Back-Channel Logout RP endpoint for Spring Clients with
oauth2Login. Works even with cookie-based protection against
CSRF and logout+jwt tokens.

Auto-configured RestClient and WebClient instances as named beans

OAuthentication extends AbstractOAuth2TokenAuthenticationToken

Auto-configure timeouts on RestClient and WebClient

Boot 3.4.0

README.MD

@@ -1,26 +1,19 @@
 # Ease OAuth2 / OpenID Configuration & Tests in Spring Boot 3 
 
-## What's new in the `8.x` branch
+## What's new in `8.0.0`
 
-`8.0.0-RC1`, is out. It is designed to work with Spring Boot `3.4.0-RC1`, Security `6.4.0-RC1`, and Cloud `2024.0.0-M2`.
+`8.0.0`, is out. It is designed to work with Spring Boot `3.4.0` (Security `6.4.0` and Cloud `2024.0.0`).
 
-- [`spring-addons-starter-rest`](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-rest) is gaining in maturity. It can now expose as `@Bean` some `RestClient` and `WebClient` instances (or builders) with the following configured using application properties:
+- [`spring-addons-starter-rest`](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-rest) now expose as `@Bean` some `RestClient` and `WebClient` instances (or builders) with the following configured using application properties:
   - Base URI
   - `Basic` or `Bearer` authorization. For the second, with a choice of using an OAuth2 client registration or forwarding the access token in the security context.
   - Connection & read timeouts
   - HTTP or SOCKS proxy, with consideration of the standard `HTTP_PROXY` and `NO_PROXY` environment variables (finer-grained configuration can be applied with custom properties)
 - [`spring-addons-starter-oidc`](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-oidc) auto-configuration for `oauth2Login` is improved with:
-  - Working [Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) (at last :/).
-  - Configurable status for unauthorized requests. The default is still `302 Found` (redirect to login), but it's a snap to change it to `401 Unauthorized` (BFF for single page or mobile applications, stateful REST APIs, ...).
-- `OAuthentication` now extends `AbstractOAuth2TokenAuthenticationToken`. This makes integrating with the rest of the Spring Security ecosystem easier but requires its `principal` to implement `OAuth2Token`. Migration guide:
-  - if using `OpenidClaimSet` directly, wrap it in an `OpenidToken`; if extending it, extend `OpenidToken` instead.
-  - move the token string argument from the `OAuthentication` constructor to the `principal` one (probably an `OpenidToken`)
-```java
-new OAuthentication<>(new OpenidClaimSet(claims), authorities, tokenString);
-```
-becomes
-```java
-new OAuthentication<>(new OpenidToken(new OpenidClaimSet(claims), tokenString), authorities);
+  - Working [Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html), even with cookie-based CSRF protection and `logout+jwt` tokens (which makes it finally usable with [OAuth2 BFF](https://www.baeldung.com/spring-cloud-gateway-bff-oauth2) & [Keycloak](https://www.baeldung.com/spring-boot-keycloak)).
+  - Configurable status for unauthorized requests. The default is still `302 Found` (redirect to login), but it's a snap to change it to `401 Unauthorized` (like REST APIs should return, even stateful ones).
+- `OAuthentication` now extends `AbstractOAuth2TokenAuthenticationToken` for a better integration with the rest of the Spring Security ecosystem. See the [migration guide](https://github.com/ch4mpy/spring-addons/tree/master/migrate-to-8.0.0.md) for details.
+
 ```
 
 ## [`spring-addons-starter-oidc`](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-oidc)
@@ -46,31 +39,53 @@ com:
     springaddons:
       rest:
         client:
+          # Exposes a RestClient bean named machinClient (or WebClient in a WebFlux app)
           machin-client:
             base-url: ${machin-api}
             authorization:
               oauth2:
+                # Authorize outgoing requests with the Bearer token in the security context (possible only in a resource server app)
                 forward-bearer: true
+          # Exposes a RestClient.Builder bean named biduleClientBuilder (mind the "expose-builder: true")
           bidule-client:
             base-url: ${bidule-api}
+            # Expose the builder instead of an already built client (to fine tune its conf)
             expose-builder: true
             authorization:
               oauth2:
+                # Authorize outgoing requests with the Bearer token obtained using an OAuth2 client registration
                 oauth2-registration-id: bidule-registration
 ```
-This exposes two beans that we can auto-wire in `@Component` or `@Configuration`, for instance to generate `@HttpExchange` implementations as follows (mind the `expose-builder: true` for `bidule-client`):
+This exposes pre-configured beans that we can auto-wire in any kind of `@Component`, like `@Controller` or `@Service`, or use in `@Configuration`. For instance:
 ```java
 @Configuration
 public class RestConfiguration {
+  /** 
+   * @param machinClient pre-configured by spring-addons-starter-rest using application properties
+   * @return a generated implementation of the {@link MachinApi} {@link HttpExchange &#64;HttpExchange}, exposed as a bean named "machinApi".
+   */
+  @Bean
+  MachinApi machinApi(RestClient machinClient) throws Exception {
+    return new RestClientHttpExchangeProxyFactoryBean<>(MachinApi.class, machinClient).getObject();
+  }
 
+  /** 
+   * @param biduleClientBuilder pre-configured using application properties
+   * @return a {@link RestClient} bean named "biduleClient"
+   */
   @Bean
-  BiduleApi biduleApi(RestClient.Builder biduleClientBuilder) throws Exception {
-    return new RestClientHttpExchangeProxyFactoryBean<>(BiduleApi.class, biduleClientBuilder.build()).getObject();
+  RestClient biduleClient(RestClient.Builder biduleClientBuilder) throws Exception {
+    // Fine-tune biduleClientBuilder configuration
+    return biduleClientBuilder.build();
   }
 
+  /** 
+   * @param biduleClient the bean exposed just above
+   * @return a generated implementation of the {@link BiduleApi} {@link HttpExchange &#64;HttpExchange}, exposed as a bean named "biduleApi".
+   */
   @Bean
-  MachinApi machinApi(RestClient machinClient) throws Exception {
-    return new RestClientHttpExchangeProxyFactoryBean<>(MachinApi.class, machinClient).getObject();
+  BiduleApi biduleApi(RestClient biduleClient) throws Exception {
+    return new RestClientHttpExchangeProxyFactoryBean<>(BiduleApi.class, biduleClient).getObject();
   }
 }
 ```

migrate-to-8.0.0.md

@@ -0,0 +1,32 @@
+# Migrating from `7.x` to `8.x`
+
+## `spring-addons-starter-oidc`
+
+The only breaking changes are around `OAuthentication` which now extends `AbstractOAuth2TokenAuthenticationToken` for a better integration with the rest of the Spring Security ecosystem.
+
+If using `OpenidClaimSet` directly, wrap it in an `OpenidToken`; if extending it, extend `OpenidToken` instead.
+
+Move the token string argument from the `OAuthentication` constructor to the `principal` one (probably an `OpenidToken`).
+
+```java
+new OAuthentication<>(new OpenidClaimSet(claims), authorities, tokenString);
+```
+becomes
+```java
+new OAuthentication<>(new OpenidToken(new OpenidClaimSet(claims), tokenString), authorities);
+```
+
+## `spring-addons-starter-rest`
+
+`SpringAddonsRestClientSupport`, `SpringAddonsWebClientSupport`, and `ReactiveSpringAddonsWebClientSupport` are replaced by `ProxyFactoryBean`s:
+- `RestClient` and `WebClient` bean definitions (or the definition of their builders) are registered as bart of the bean registry post processing => remove any explicit bean definition in application conf, the Boot starter does it already.
+- change `@HttpExchange` service proxy bean defintions to use `RestClientHttpExchangeProxyFactoryBean` or `WebClientHttpExchangeProxyFactoryBean`
+
+Proxy properties are now configurable for each client => in YAML, move it down one level (copy it to each client needing proxy configuration).
+
+There are more configuration options available:
+- a flag to expose the client builder inttead of an already built client
+- force the bean name (by default, it's the camelCase transformation of the kebab-case client ID in properties, with `Builder` suffix when `expose-builder` is `true`)
+- set connect and read timeouts
+- expose a `WebClient` instead of the default `RestClient` in a servlet application
+- set chunk-size (only applied to `RestClient`)

pom.xml

@@ -1,12 +1,17 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>3.4.0</version>
+	</parent>
 	<groupId>com.c4-soft.springaddons</groupId>
 	<artifactId>spring-addons</artifactId>
-	<version>7.8.13-SNAPSHOT</version>
+	<version>8.0.0-RC2-SNAPSHOT</version>
 	<packaging>pom</packaging>
 	<name>spring-addons</name>
-	<description>Set of tools I find useful to work with Spring (mostly spring-security for OpenID)</description>
+	<description>Make Spring developpers' life easier when OAuth2 / OpenID is involved</description>
 	<url>https://github.com/ch4mpy/spring-addons/</url>
 
 	<licenses>
@@ -54,25 +59,27 @@
 
 		<maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
 		<maven-deploy-plugin.version>3.1.2</maven-deploy-plugin.version>
+		<maven-gpg-plugin.version>3.2.5</maven-gpg-plugin.version>
 		<maven-jar-plugin.version>3.4.1</maven-jar-plugin.version>
 		<maven-javadoc-plugin.version>3.6.3</maven-javadoc-plugin.version>
 		<maven-release-plugin.version>3.0.1</maven-release-plugin.version>
 		<maven-shade-plugin.version>3.5.3</maven-shade-plugin.version>
 		<maven-source-plugin.version>3.3.1</maven-source-plugin.version>
+		<nexus-staging-maven-plugin.version>1.7.0</nexus-staging-maven-plugin.version>
 
 		<sonar-maven-plugin.version>3.11.0.3922</sonar-maven-plugin.version>
 
-		<spring-boot.version>3.3.4</spring-boot.version>
+		<spring-boot.version>${project.parent.version}</spring-boot.version>
 
 		<lombok-mapstruct-binding.version>0.2.0</lombok-mapstruct-binding.version>
 		<org.mapstruct.version>1.6.0.Beta2</org.mapstruct.version>
 
 		<integration-tests.hostname>${env.HOSTNAME}</integration-tests.hostname>
 		<integration-tests.scheme>https</integration-tests.scheme>
 
-		<springdoc-openapi.version>2.5.0</springdoc-openapi.version>
+        <springdoc-openapi.version>2.5.0</springdoc-openapi.version>
 		<springdoc-openapi-maven-plugin.version>1.4</springdoc-openapi-maven-plugin.version>
-		
+
 		<repackage.classifier />
 		<image.builder>paketobuildpacks/builder:tiny</image.builder>
 		<ca-certificates.binding>${project.basedir}/bindings/ca-certificates</ca-certificates.binding>
@@ -82,14 +89,6 @@
 
 	<dependencyManagement>
 		<dependencies>
-			<dependency>
-				<groupId>org.springframework.boot</groupId>
-				<artifactId>spring-boot-dependencies</artifactId>
-				<version>${spring-boot.version}</version>
-				<type>pom</type>
-				<scope>import</scope>
-			</dependency>
-
 			<dependency>
 				<groupId>com.c4-soft.springaddons</groupId>
 				<artifactId>spring-addons-oauth2</artifactId>
@@ -111,13 +110,13 @@
 				<artifactId>spring-addons-starter-oidc-test</artifactId>
 				<version>${project.version}</version>
 			</dependency>
-			
+
 			<dependency>
 				<groupId>com.c4-soft.springaddons</groupId>
 				<artifactId>spring-addons-starter-rest</artifactId>
 				<version>${project.version}</version>
 			</dependency>
-			
+
 			<dependency>
 				<groupId>org.springdoc</groupId>
 				<artifactId>springdoc-openapi-starter-webflux-api</artifactId>
@@ -142,7 +141,7 @@
 	</dependencyManagement>
 
 	<repositories>
-		<!--repository>
+		<repository>
 			<id>spring-snapshots</id>
 			<name>Spring Snapshots</name>
 			<url>https://repo.spring.io/snapshot</url>
@@ -151,11 +150,11 @@
 				<updatePolicy>always</updatePolicy>
 			</snapshots>
 			<releases>
-				<enabled>true</enabled>
+				<enabled>false</enabled>
 				<updatePolicy>never</updatePolicy>
 			</releases>
-		</repository-->
-		<!--repository>
+		</repository>
+		<repository>
 			<id>spring-milestones</id>
 			<name>Spring Milestones</name>
 			<url>https://repo.spring.io/milestone</url>
@@ -165,7 +164,7 @@
 			<releases>
 				<enabled>true</enabled>
 			</releases>
-		</repository-->
+		</repository>
 		<repository>
 			<id>repository.spring.release</id>
 			<name>Spring GA Repository</name>
@@ -180,7 +179,7 @@
 		</repository>
 	</repositories>
 	<pluginRepositories>
-		<!--pluginRepository>
+		<pluginRepository>
 			<id>spring-snapshots</id>
 			<name>Spring Snapshots</name>
 			<url>https://repo.spring.io/plugins-snapshot</url>
@@ -192,8 +191,8 @@
 				<enabled>true</enabled>
 				<updatePolicy>never</updatePolicy>
 			</releases>
-		</pluginRepository-->
-		<!--pluginRepository>
+		</pluginRepository>
+		<pluginRepository>
 			<id>spring-milestones</id>
 			<name>Spring Milestones</name>
 			<url>https://repo.spring.io/plugins-milestone</url>
@@ -203,7 +202,7 @@
 			<releases>
 				<enabled>true</enabled>
 			</releases>
-		</pluginRepository-->
+		</pluginRepository>
 		<pluginRepository>
 			<id>repository.spring.release</id>
 			<name>Spring GA Repository</name>
@@ -221,15 +220,41 @@
 	<build>
 		<pluginManagement>
 			<plugins>
+				<plugin>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-maven-plugin</artifactId>
+					<version>${spring-boot.version}</version>
+					<configuration>
+						<classifier>${repackage.classifier}</classifier>
+						<image>
+							<builder>${image.builder}</builder>
+							<bindings>
+								<binding>
+									${ca-certificates.binding}:/platform/bindings/ca-certificates:ro</binding>
+							</bindings>
+							<env>
+								<BP_JVM_VERSION>${java.version}</BP_JVM_VERSION>
+							</env>
+						</image>
+						<excludes>
+							<exclude>
+								<groupId>org.projectlombok</groupId>
+								<artifactId>lombok</artifactId>
+							</exclude>
+						</excludes>
+					</configuration>
+					<executions>
+					</executions>
+				</plugin>
 				<plugin>
 					<groupId>org.sonatype.plugins</groupId>
 					<artifactId>nexus-staging-maven-plugin</artifactId>
-					<version>1.6.13</version>
+					<version>${nexus-staging-maven-plugin.version}</version>
 				</plugin>
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-gpg-plugin</artifactId>
-					<version>3.1.0</version>
+					<version>${maven-gpg-plugin.version}</version>
 				</plugin>
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
@@ -296,7 +321,8 @@
 				</executions>
 			</plugin>
 
-			<!-- run javadoc at each build to detect warnings and errors before release -->
+			<!-- run javadoc at each build to detect warnings and errors before
+			release -->
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
@@ -353,7 +379,7 @@
 				<module>spring-addons-starter-oidc-test</module>
 				<module>spring-addons-starter-rest</module>
 				<module>spring-addons-starter-openapi</module>
-				<module>starters</module>
+                <module>spring-addons-starter-recaptcha</module>
 			</modules>
 			<build>
 				<plugins>
@@ -370,7 +396,8 @@
 								</goals>
 								<configuration>
 									<executable>gpg</executable>
-									<!-- Prevent `gpg` from using pinentry programs -->
+									<!-- Prevent `gpg` from using pinentry
+									programs -->
 									<gpgArguments>
 										<arg>--pinentry-mode</arg>
 										<arg>loopback</arg>
@@ -394,7 +421,7 @@
 				<module>spring-addons-starter-oidc-test</module>
 				<module>spring-addons-starter-rest</module>
 				<module>spring-addons-starter-openapi</module>
-				<module>starters</module>
+                <module>spring-addons-starter-recaptcha</module>
 				<module>samples</module>
 			</modules>
 		</profile>

release-notes.md

@@ -5,7 +5,7 @@ For Spring Boot 3.4.x.
 
 `spring-addons-starter-rest` provides auto-configuration for `RestClient`, `WebClient` and tooling for `@HttpExchange` proxy generation.
 
-### `8.0.0-RC1`
+### `8.0.0`
 - `spring-addons-starter-oidc`:
   - **[Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html)** support. Enabled only if an `OidcBackChannel(Server)LogoutHandler` bean is present. A default `OidcBackChannel(Server)LogoutHandler` bean is provided if `com.c4-soft.springaddons.oidc.client.back-channel-logout.enabled` property is `true` (`false` by default).
   - `authenticationEntryPoint` is now configurable with spring-addons for OAuth2 clients with `oauth2Login` (instead of `oauth2ResourceServer`). The default bean returns `302 redirect to login` unless another status is set with other OAuth2 responses statuses overrides in properties. Resource servers authentication entrypoint returns `401`.
@@ -16,7 +16,7 @@ For Spring Boot 3.4.x.
   - HTTP proxy. Supports `HTTP_PROXY` & `NO_PROXY` environment variables, but finer grained custom properties can be used.
   - connect and read timeouts.
   - force usage of `WebClient` in a servlet app (`RestClient` is the default for servlets).
-- Boot `3.4.0-RC1` and Security `6.4.0-RC1` as transitive dependencies (adapts to the new Back-Channel Logout configuration).
+- Boot `3.4.0` (with Security `6.4.0` as transitive dependencies).
 
 
 ## `7.x` Branch