conditional OAuth2AuthorizedClientBeans

ch4mpy · Feb 10, 2024 · cfd6728 · cfd6728
1 parent 72efbff
commit cfd6728
Show file tree

Hide file tree

Showing 15 changed files with 99 additions and 63 deletions.
diff --git a/release-notes.md b/release-notes.md
@@ -2,6 +2,10 @@
 
 ## `7.x` Branch
 
+### `7.5.1`
+- make `(Reactive)SpringAddonsOAuth2AuthorizedClientBeans` conditional on `com.c4-soft.springaddons.oidc.client.token-request-params` properties being present
+- fix missing `SpringAddons(Reactive)JwtDecoderFactory` default bean
+
 ### `7.5.0`
 - Create [spring-addons-starter-oidc README](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-oidc)
 - Replace `AuthoritiesMappingPropertiesResolver` with `OpenidProviderPropertiesResolver`

diff --git a/samples/tutorials/resource-server_with_ui/src/main/resources/application.yml b/samples/tutorials/resource-server_with_ui/src/main/resources/application.yml
@@ -34,8 +34,6 @@ spring:
         provider:
           keycloak:
             issuer-uri: ${keycloak-issuer}
-          cognito:
-            issuer-uri: ${cognito-issuer}
           auth0:
             issuer-uri: ${auth0-issuer}
         registration:
@@ -52,13 +50,6 @@ spring:
             client-secret: ${keycloak-secret}
             provider: keycloak
             scope: openid,offline_access
-          cognito-confidential-user:
-            authorization-grant-type: authorization_code
-            client-name: Amazon Cognito
-            client-id: 12olioff63qklfe9nio746es9f
-            client-secret: ${cognito-secret}
-            provider: cognito
-            scope: openid,profile,email
           auth0-confidential-user:
             authorization-grant-type: authorization_code
             client-name: Auth0
@@ -77,10 +68,6 @@ com:
           authorities:
           - path: $.realm_access.roles
           - path: $.resource_access.*.roles
-        - iss: ${cognito-issuer}
-          username-claim: $.username
-          authorities:
-          - path: $.cognito:groups
         - iss: ${auth0-issuer}
           aud: demo.c4-soft.com
           username-claim: $['https://c4-soft.com/user']['name']
@@ -127,6 +114,10 @@ com:
             auth0-confidential-user:
             - name: audience
               value: demo.c4-soft.com
+          token-request-params:
+            auth0-confidential-user:
+            - name: audience
+              value: demo.c4-soft.com
 
 logging:
   level:

diff --git a/spring-addons-starter-oidc/README.MD b/spring-addons-starter-oidc/README.MD
@@ -4,7 +4,7 @@ This project is a Spring Boot starter to use in addition to `spring-boot-starter
 
 ```xml
     <properties>
-        <springaddons.version>7.5.0</springaddons.version>
+        <springaddons.version>7.5.1</springaddons.version>
     </properties>
 
     <dependencies>

diff --git a/.../security/oidc/starter/properties/condition/HasOAuth2RegistrationPropertiesCondition.java b/.../security/oidc/starter/properties/condition/HasOAuth2RegistrationPropertiesCondition.java
@@ -0,0 +1,8 @@
+package com.c4_soft.springaddons.security.oidc.starter.properties.condition;
+
+public class HasOAuth2RegistrationPropertiesCondition extends HasPropertyPrefixCondition {
+
+    public HasOAuth2RegistrationPropertiesCondition() {
+        super("spring.security.oauth2.client.registration");
+    }
+}
diff --git a/...Auth2RegistrationPropertiesCondition.java → ...condition/HasPropertyPrefixCondition.java b/...Auth2RegistrationPropertiesCondition.java → ...condition/HasPropertyPrefixCondition.java
@@ -1,4 +1,4 @@
-package com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean;
+package com.c4_soft.springaddons.security.oidc.starter.properties.condition;
 
 import org.springframework.context.annotation.Condition;
 import org.springframework.context.annotation.ConditionContext;
@@ -7,11 +7,14 @@
 import org.springframework.core.env.PropertySource;
 import org.springframework.core.type.AnnotatedTypeMetadata;
 
-public class HasOAuth2RegistrationPropertiesCondition implements Condition {
+import lombok.RequiredArgsConstructor;
+
+@RequiredArgsConstructor
+public class HasPropertyPrefixCondition implements Condition {
+    private final String prefix;
 
     @Override
     public boolean matches(ConditionContext context, AnnotatedTypeMetadata metadata) {
-        final String prefix = "spring.security.oauth2.client.registration";
         if (context.getEnvironment() instanceof ConfigurableEnvironment env) {
             for (PropertySource<?> propertySource : env.getPropertySources()) {
                 if (propertySource instanceof EnumerablePropertySource enumerablePropertySource) {
@@ -25,4 +28,4 @@ public boolean matches(ConditionContext context, AnnotatedTypeMetadata metadata)
         }
         return false;
     }
-}
+}
diff --git a/...urity/oidc/starter/properties/condition/HasTokenEdpointParametersPropertiesCondition.java b/...urity/oidc/starter/properties/condition/HasTokenEdpointParametersPropertiesCondition.java
@@ -0,0 +1,8 @@
+package com.c4_soft.springaddons.security.oidc.starter.properties.condition;
+
+public class HasTokenEdpointParametersPropertiesCondition extends HasPropertyPrefixCondition {
+
+    public HasTokenEdpointParametersPropertiesCondition() {
+        super("com.c4-soft.springaddons.oidc.client.token-request-params");
+    }
+}
diff --git a/...oidc/starter/properties/condition/bean/DefaultOAuth2AuthorizedClientManagerCondition.java b/...oidc/starter/properties/condition/bean/DefaultOAuth2AuthorizedClientManagerCondition.java
@@ -5,6 +5,8 @@
 import org.springframework.context.annotation.Conditional;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
 
+import com.c4_soft.springaddons.security.oidc.starter.properties.condition.HasOAuth2RegistrationPropertiesCondition;
+
 public class DefaultOAuth2AuthorizedClientManagerCondition extends AllNestedConditions {
 
     public DefaultOAuth2AuthorizedClientManagerCondition() {

diff --git a/...idc/starter/properties/condition/bean/DefaultOAuth2AuthorizedClientProviderCondition.java b/...idc/starter/properties/condition/bean/DefaultOAuth2AuthorizedClientProviderCondition.java
@@ -5,6 +5,8 @@
 import org.springframework.context.annotation.Conditional;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
 
+import com.c4_soft.springaddons.security.oidc.starter.properties.condition.HasOAuth2RegistrationPropertiesCondition;
+
 public class DefaultOAuth2AuthorizedClientProviderCondition extends AllNestedConditions {
 
     public DefaultOAuth2AuthorizedClientProviderCondition() {

diff --git a/...rter/properties/condition/bean/DefaultReactiveOAuth2AuthorizedClientManagerCondition.java b/...rter/properties/condition/bean/DefaultReactiveOAuth2AuthorizedClientManagerCondition.java
@@ -5,6 +5,8 @@
 import org.springframework.context.annotation.Conditional;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
 
+import com.c4_soft.springaddons.security.oidc.starter.properties.condition.HasOAuth2RegistrationPropertiesCondition;
+
 public class DefaultReactiveOAuth2AuthorizedClientManagerCondition extends AllNestedConditions {
 
     public DefaultReactiveOAuth2AuthorizedClientManagerCondition() {

diff --git a/...ter/properties/condition/bean/DefaultReactiveOAuth2AuthorizedClientProviderCondition.java b/...ter/properties/condition/bean/DefaultReactiveOAuth2AuthorizedClientProviderCondition.java
@@ -5,6 +5,8 @@
 import org.springframework.context.annotation.Conditional;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
 
+import com.c4_soft.springaddons.security.oidc.starter.properties.condition.HasOAuth2RegistrationPropertiesCondition;
+
 public class DefaultReactiveOAuth2AuthorizedClientProviderCondition extends AllNestedConditions {
 
     public DefaultReactiveOAuth2AuthorizedClientProviderCondition() {

diff --git a/...ecurity/oidc/starter/reactive/client/ReactiveSpringAddonsOAuth2AuthorizedClientBeans.java b/...ecurity/oidc/starter/reactive/client/ReactiveSpringAddonsOAuth2AuthorizedClientBeans.java
@@ -13,33 +13,34 @@
 import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
 
 import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.condition.HasTokenEdpointParametersPropertiesCondition;
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultReactiveOAuth2AuthorizedClientManagerCondition;
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultReactiveOAuth2AuthorizedClientProviderCondition;
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsReactiveOauth2ClientCondition;
 
-@Conditional(IsReactiveOauth2ClientCondition.class)
+@Conditional({ IsReactiveOauth2ClientCondition.class, HasTokenEdpointParametersPropertiesCondition.class })
 @AutoConfiguration
 public class ReactiveSpringAddonsOAuth2AuthorizedClientBeans {
 
-	@Conditional(DefaultReactiveOAuth2AuthorizedClientManagerCondition.class)
-	@Bean
-	ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
-			ReactiveClientRegistrationRepository clientRegistrationRepository,
-			ServerOAuth2AuthorizedClientRepository authorizedClientRepository,
-			ReactiveOAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider) {
-
-		final var authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
-		authorizedClientManager.setAuthorizedClientProvider(oauth2AuthorizedClientProvider);
-
-		return authorizedClientManager;
-	}
-
-	@Conditional(DefaultReactiveOAuth2AuthorizedClientProviderCondition.class)
-	@Bean
-	ReactiveOAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider(
-			SpringAddonsOidcProperties addonsProperties,
-			InMemoryReactiveClientRegistrationRepository clientRegistrationRepository) {
-		return new PerRegistrationReactiveOAuth2AuthorizedClientProvider(clientRegistrationRepository, addonsProperties, Map.of());
-	}
+    @Conditional(DefaultReactiveOAuth2AuthorizedClientManagerCondition.class)
+    @Bean
+    ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
+            ReactiveClientRegistrationRepository clientRegistrationRepository,
+            ServerOAuth2AuthorizedClientRepository authorizedClientRepository,
+            ReactiveOAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider) {
+
+        final var authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
+        authorizedClientManager.setAuthorizedClientProvider(oauth2AuthorizedClientProvider);
+
+        return authorizedClientManager;
+    }
+
+    @Conditional(DefaultReactiveOAuth2AuthorizedClientProviderCondition.class)
+    @Bean
+    ReactiveOAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider(
+            SpringAddonsOidcProperties addonsProperties,
+            InMemoryReactiveClientRegistrationRepository clientRegistrationRepository) {
+        return new PerRegistrationReactiveOAuth2AuthorizedClientProvider(clientRegistrationRepository, addonsProperties, Map.of());
+    }
 
 }
diff --git a/...ity/oidc/starter/reactive/resourceserver/ReactiveSpringAddonsOidcResourceServerBeans.java b/...ity/oidc/starter/reactive/resourceserver/ReactiveSpringAddonsOidcResourceServerBeans.java
@@ -201,6 +201,12 @@ ResourceServerReactiveHttpSecurityPostProcessor httpPostProcessor() {
         return serverHttpSecurity -> serverHttpSecurity;
     }
 
+    @ConditionalOnMissingBean
+    @Bean
+    SpringAddonsReactiveJwtDecoderFactory springAddonsJwtDecoderFactory() {
+        return new DefaultSpringAddonsReactiveJwtDecoderFactory();
+    }
+
     /**
      * Provides with multi-tenancy: builds a ReactiveAuthenticationManagerResolver per provided OIDC issuer URI
      *

diff --git a/...starter/reactive/resourceserver/SpringAddonsReactiveJwtAuthenticationManagerResolver.java b/...starter/reactive/resourceserver/SpringAddonsReactiveJwtAuthenticationManagerResolver.java
@@ -9,14 +9,13 @@
 
 import com.c4_soft.springaddons.security.oidc.starter.OpenidProviderPropertiesResolver;
 import com.c4_soft.springaddons.security.oidc.starter.synchronised.resourceserver.JWTClaimsSetAuthenticationManager.JWTClaimsSetAuthenticationManagerResolver;
-import com.c4_soft.springaddons.security.oidc.starter.synchronised.resourceserver.SpringAddonsJwtDecoderFactory;
 
 import reactor.core.publisher.Mono;
 
 /**
  * <p>
  * An {@link ReactiveAuthenticationManagerResolver} always resolving the same {@link ReactiveJWTClaimsSetAuthenticationManager} which relies on
- * {@link JWTClaimsSetAuthenticationManagerResolver}, itself using {@link SpringAddonsJwtDecoderFactory} and a {@link Converter Converter@lt;Jwt,
+ * {@link JWTClaimsSetAuthenticationManagerResolver}, itself using {@link SpringAddonsReactiveJwtDecoderFactory} and a {@link Converter Converter@lt;Jwt,
  * AbstractAuthenticationToken&gt;}.
  * </p>
  * <p>

diff --git a/...ns/security/oidc/starter/synchronised/client/SpringAddonsOAuth2AuthorizedClientBeans.java b/...ns/security/oidc/starter/synchronised/client/SpringAddonsOAuth2AuthorizedClientBeans.java
@@ -13,31 +13,33 @@
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 
 import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.condition.HasTokenEdpointParametersPropertiesCondition;
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultOAuth2AuthorizedClientManagerCondition;
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.bean.DefaultOAuth2AuthorizedClientProviderCondition;
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsServletOauth2ClientCondition;
 
-@Conditional(IsServletOauth2ClientCondition.class)
+@Conditional({ IsServletOauth2ClientCondition.class, HasTokenEdpointParametersPropertiesCondition.class })
 @AutoConfiguration
 public class SpringAddonsOAuth2AuthorizedClientBeans {
 
-	@Conditional(DefaultOAuth2AuthorizedClientManagerCondition.class)
-	@Bean
-	OAuth2AuthorizedClientManager authorizedClientManager(
-			ClientRegistrationRepository clientRegistrationRepository,
-			OAuth2AuthorizedClientRepository authorizedClientRepository,
-			OAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider) {
-
-		final var authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
-		authorizedClientManager.setAuthorizedClientProvider(oauth2AuthorizedClientProvider);
-
-		return authorizedClientManager;
-	}
-
-	@Conditional(DefaultOAuth2AuthorizedClientProviderCondition.class)
-	@Bean
-	OAuth2AuthorizedClientProvider
-			oauth2AuthorizedClientProvider(SpringAddonsOidcProperties addonsProperties, InMemoryClientRegistrationRepository clientRegistrationRepository) {
-		return new PerRegistrationOAuth2AuthorizedClientProvider(clientRegistrationRepository, addonsProperties, Map.of());
-	}
+    @Conditional(DefaultOAuth2AuthorizedClientManagerCondition.class)
+    @Bean
+    OAuth2AuthorizedClientManager authorizedClientManager(
+            ClientRegistrationRepository clientRegistrationRepository,
+            OAuth2AuthorizedClientRepository authorizedClientRepository,
+            OAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider) {
+
+        final var authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
+        authorizedClientManager.setAuthorizedClientProvider(oauth2AuthorizedClientProvider);
+
+        return authorizedClientManager;
+    }
+
+    @Conditional(DefaultOAuth2AuthorizedClientProviderCondition.class)
+    @Bean
+    OAuth2AuthorizedClientProvider oauth2AuthorizedClientProvider(
+            SpringAddonsOidcProperties addonsProperties,
+            InMemoryClientRegistrationRepository clientRegistrationRepository) {
+        return new PerRegistrationOAuth2AuthorizedClientProvider(clientRegistrationRepository, addonsProperties, Map.of());
+    }
 }
diff --git a/...ecurity/oidc/starter/synchronised/resourceserver/SpringAddonsOidcResourceServerBeans.java b/...ecurity/oidc/starter/synchronised/resourceserver/SpringAddonsOidcResourceServerBeans.java
@@ -59,8 +59,8 @@
  * configuration. It applies to all routes not listed in "permit-all" property configuration. Default requires users to be authenticated. <b>This is a bean to
  * provide in your application configuration if you prefer to define fine-grained access control rules with Java configuration rather than methods
  * security.</b></li>
- * <li>httpPostProcessor: a bean of type {@link ResourceServerSynchronizedHttpSecurityPostProcessor} to override anything from above auto-configuration. It is called just
- * before the security filter-chain is returned. Default is a no-op.</li>
+ * <li>httpPostProcessor: a bean of type {@link ResourceServerSynchronizedHttpSecurityPostProcessor} to override anything from above auto-configuration. It is
+ * called just before the security filter-chain is returned. Default is a no-op.</li>
  * <li>jwtAuthenticationConverter: a converter from a {@link Jwt} to something inheriting from {@link AbstractAuthenticationToken}. The default instantiate a
  * {@link JwtAuthenticationToken} with username and authorities as configured for the issuer of thi token. The easiest to override the type of
  * {@link AbstractAuthenticationToken}, is to provide with an Converter&lt;Jwt, ? extends AbstractAuthenticationToken&gt; bean.</li>
@@ -183,6 +183,12 @@ ResourceServerSynchronizedHttpSecurityPostProcessor httpPostProcessor() {
         return httpSecurity -> httpSecurity;
     }
 
+    @ConditionalOnMissingBean
+    @Bean
+    SpringAddonsJwtDecoderFactory springAddonsJwtDecoderFactory() {
+        return new DefaultSpringAddonsJwtDecoderFactory();
+    }
+
     /**
      * Provides with multi-tenancy: builds a AuthenticationManagerResolver<HttpServletRequest> per provided OIDC issuer URI
      *