I'm trying to implement an OAuth2 resource server using Spring Boot with Spring Security. My introspection server requires mTLS for the token introspection requests.
How can I configure Spring Security to use a client certificate for the token introspection calls?
My security configuration looks like this:
@Configuration
@EnableWebSecurity
public class MyCustomSecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaqueToken -> opaqueToken
.introspector(myIntrospector())
)
);
return http.build();
}
}
I have tried to provide my own custom introspector which is based upon NimbusOpaqueTokenIntrospector, but I can't see any way, how I can add a TLS certificate to the underlaying HTTP request.
I got it working by using the constructor NimbusOpaqueTokenIntrospector(String introspectionUri, org.springframework.web.client.RestOperations restOperations)
As the second constructor argument, I provided a mTLS capable custom implementation of a Spring RestTemplate