wultra · banterCZ · Feb 29, 2024 · Feb 29, 2024
diff --git a/docs/Next-Step-Server.md b/docs/Next-Step-Server.md
@@ -74,15 +74,10 @@ The Next Step Server functionality is described in details in [Next Step Server
 
 You may configure OpenID Connect (OIDC) authentication.
 
-| Property                                                                                   | Default value            | Description                                                                                                                   |
-|--------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------------------------------------------------------------------------------|
-| `powerauth.nextstep.security.auth.type`                                                    |                          | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured.                                         |
-| `spring.security.oauth2.client.registration.nextstep-oidc-client.provider`                 | `nextstep-oidc-provider` | Should be `nextstep-oidc-provider`, defines the key for the `issuer-uri` property, see below.                                 |
-| `spring.security.oauth2.client.registration.nextstep-oidc-client.client-id`                |                          | Client ID for authentication to the provider.                                                                                 |
-| `spring.security.oauth2.client.registration.nextstep-oidc-client.client-secret`            |                          | Client secret for authentication to the provider.                                                                             |
-| `spring.security.oauth2.client.registration.nextstep-oidc-client.authorization-grant-type` | `authorization_code`     | Authorization grant type. Should be `authorization_code`.                                                                     |
-| `spring.security.oauth2.client.registration.nextstep-oidc-client.scope`                    | `openid`                 | Authorization scopes. Should be `openid`.                                                                                     |
-| `spring.security.oauth2.client.registration.nextstep-oidc-client.redirectUri`              |                          | Redirect URI from the provider back to the NextStep, e.g. `http://localhost:8080//powerauth-nextstep/login/oauth2/code/azure` |
-| `spring.security.oauth2.client.provider.nextstep-oidc-provider.issuer-uri`                 |                          | URL of the provider, e.g. `https://sts.windows.net/example/`                                                                  |
+| Property                                                | Default value | Description                                                                           |
+|---------------------------------------------------------|---------------|---------------------------------------------------------------------------------------|
+| `powerauth.nextstep.security.auth.type`                 |               | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. |
+| `spring.security.oauth2.resource-server.jwt.issuer-uri` |               | URL of the provider, e.g. `https://sts.windows.net/example/`                          |
+| `spring.security.oauth2.resource-server.jwt.audiences`  |               | A comma-separated list of allowed `aud` JWT claim values to be validated.             |
 
 See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details. 
diff --git a/powerauth-nextstep/pom.xml b/powerauth-nextstep/pom.xml
@@ -61,7 +61,7 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-oauth2-client</artifactId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>

diff --git a/...extstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java b/...extstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java
@@ -21,7 +21,6 @@
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.scheduling.annotation.EnableScheduling;
 
@@ -32,7 +31,7 @@
  *
  * @author Roman Strobl, [email protected]
  */
-@SpringBootApplication(exclude = OAuth2ClientAutoConfiguration.class) // OAuth2Client dependency is included, but configuration is optional
+@SpringBootApplication
 @EnableScheduling
 @ComponentScan(basePackages = {"io.getlime.security.powerauth.app.nextstep", "com.wultra.core.audit.base"})
 public class NextStepApplication {

diff --git a/...rc/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java b/...rc/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java
@@ -19,11 +19,8 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -57,13 +54,10 @@ public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception
             logger.info("Initializing OIDC authentication.");
             http.authorizeHttpRequests(authorize -> authorize
                             .requestMatchers(
-                                    new AntPathRequestMatcher("/login/oauth2/**"),
                                     new AntPathRequestMatcher("/api/service/status"),
-                                    new AntPathRequestMatcher("/actuator/**"))
-                            .permitAll()
-                            .anyRequest()
-                            .fullyAuthenticated())
-                    .oauth2Login(withDefaults());
+                                    new AntPathRequestMatcher("/actuator/**")).permitAll()
+                            .anyRequest().fullyAuthenticated())
+                    .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()));
         } else {
             logger.info("No authentication configured");
             http.httpBasic(AbstractHttpConfigurer::disable);
@@ -74,13 +68,6 @@ public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception
                 .build();
     }
 
-    @Configuration
-    @ConditionalOnProperty(name = "powerauth.nextstep.security.auth.type", havingValue = "OIDC")
-    @Import(OAuth2ClientAutoConfiguration.class)
-    public static class OAuth2ClientConfiguration {
-        // no code on purpose, only config class
-    }
-
     enum AuthType {
         NONE,
 

diff --git a/powerauth-nextstep/src/main/resources/application.properties b/powerauth-nextstep/src/main/resources/application.properties
@@ -72,13 +72,8 @@ logging.config=${POWERAUTH_NEXTSTEP_LOGGING:}
 
 # OpenID Connect (OIDC) Settings
 #powerauth.nextstep.security.auth.type=OIDC
-spring.security.oauth2.client.registration.nextstep-oidc-client.provider=nextstep-oidc-provider
-spring.security.oauth2.client.registration.nextstep-oidc-client.client-id=
-spring.security.oauth2.client.registration.nextstep-oidc-client.client-secret=
-spring.security.oauth2.client.registration.nextstep-oidc-client.authorization-grant-type=authorization_code
-spring.security.oauth2.client.registration.nextstep-oidc-client.scope=openid
-spring.security.oauth2.client.registration.nextstep-oidc-client.redirectUri=
-spring.security.oauth2.client.provider.nextstep-oidc-provider.issuer-uri=
+spring.security.oauth2.resource-server.jwt.issuer-uri=
+spring.security.oauth2.resource-server.jwt.audiences=
 
 # Monitoring
 management.tracing.sampling.probability=1.0
diff --git a/powerauth-nextstep/src/test/resources/application-test.properties b/powerauth-nextstep/src/test/resources/application-test.properties
@@ -13,5 +13,3 @@ powerauth.nextstep.db.master.encryption.key=Bq9h3/QiGTAChopid3Xd4ZDzaJ5rkrqBuzy2
 
 # Liquibase
 spring.liquibase.enabled=false
-
-spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,5 +13,3 @@ powerauth.nextstep.db.master.encryption.key=Bq9h3/QiGTAChopid3Xd4ZDzaJ5rkrqBuzy2

		# Liquibase
		spring.liquibase.enabled=false

		spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration