I'm having some difficulties to get client token relay working with Spring Boot 2.0.0.M7 and Spring Cloud Finchley M5. Please find the example code on github: https://github.com/hansvanbeneden/oauth-example
I have configured the oauth2Login like this:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.oauth2Login()
.and()
.csrf().disable();
}
}
and the client registration repo like this:
@Configuration
@EnableOAuth2Client
public class OAuth2LoginConfig {
@Bean
public ClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryClientRegistrationRepository(this.myWebsiteClientRegistration());
}
private ClientRegistration myWebsiteClientRegistration() {
return ClientRegistration
.withRegistrationId("myauth")
...
.build();
}
@Bean
public OAuth2RestOperations restOperations(OAuth2ClientContext oauth2ClientContext) {
return new OAuth2RestTemplate(resource(), oauth2ClientContext);
}
private OAuth2ProtectedResourceDetails resource() {
ClientRegistration myauthClient = myWebsiteClientRegistration();
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setScope(new ArrayList<>(myauthClient.getScopes()));
...
return resource;
}
}
I would expect that the oauth2Login somehow sets the OAuth2AccessToken in the Oauth2ClientContext for the OAuth2RestTemplate to use it. But apparently this is not the case, because a UserRedirectRequiredException is thrown when I use the OAuth2RestTemplate.
Is there some magic annotation that I'm missing? Can someone please send me in the right direction?
Please feel free to correct me if i'm wrong, but basically this is how I understand the issue:
Spring Boot 2.0 dropped support for spring-security-oauth2, since it now has it's own OAuth support (documented here: https://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#jc-oauth2login)
This means you can't use the new oauth2Login configuration and expect the Oauth2RestTemplate to be able to use the oauth tokens set by oauth2Login
The following project was setup to allow the use of spring-security-oauth2 features in Spring Boot 2.0: https://docs.spring.io/spring-security-oauth2-boot/docs/current-SNAPSHOT/reference/htmlsingle/
To solve my issue I added the spring-security-oauth2-autoconfigure dependency:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.0.0.BUILD-SNAPSHOT</version>
</dependency>
I removed the oauth2Login and added the EnableOauth2Ssso from the WebSecurityConfig:
@Configuration
@EnableOAuth2Sso
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.csrf().disable();
}
}
Then my Oauth2RestTemplate was able to find the OAuthToken that was acquired by logging in.
@Bean
public RestOperations restOperations(OAuth2ProtectedResourceDetails resourceDetails,
OAuth2ClientContext clientContext) {
return new OAuth2RestTemplate(resourceDetails, clientContext);
}
I have committed this solution on the following branch: https://github.com/hansvanbeneden/oauth-example/tree/implementation-with-spring-security-oauth2-boot