Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Make RestTemplate used by ClientRegistrations (Discovery) configurable

See original GitHub issue

Summary

spring-security-oauth2-client uses a RestTemplate for openid/oauth Discovery that is not configurable. This is unuseable in scenarios where you need to adjust the RestTemplate. Example: You need to use a proxy and configure auth.

Actual Behavior

ClientRegistrations class uses a RestTemplate for doing OpenId Discovery that is not configurable, since it is not using RestTemplateBuilder or something comparable.

OpenId discovery is done by querying issuerUri + “/.well-known/openid-configuration” (for oidc) or isserUri + “/.well-known/oauth-authorization-server” (for oauth).

Current implementation: RestTemplate rest = new RestTemplate()

Expected Behavior

ClientRegistrations should use a configurable RestTemplate for doing OpenId Discovery. One should be able to configure the requestFactory, interceptors, errorHandler and so on of that RestTemplate.

Configuration

Version

5.2.0.M3 and 5.1.5.RELEASE

Sample

https://github.com/spring-projects/spring-security/blob/1739ef8d3c75871367e8bf9a0daf46547abf6d45/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java#L58

Related #5607

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:6
  • Comments:15 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
jgrandjacommented, Oct 24, 2019

@xenoterracide I took a look at your SO question. You can supply a custom RestOperations as follows:

Current

@Bean
   OAuth2AuthorizedClientManager authorizedClientManager(
        ClientRegistrationRepository clientRegistrationRepository,
        OAuth2AuthorizedClientRepository authorizedClientRepository) {

        OAuth2AuthorizedClientProvider authorizedClientProvider =
            OAuth2AuthorizedClientProviderBuilder.builder()
                .clientCredentials()
                .build();

        DefaultOAuth2AuthorizedClientManager authorizedClientManager =
            new DefaultOAuth2AuthorizedClientManager(
                clientRegistrationRepository, authorizedClientRepository);
        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

        return authorizedClientManager;
    }

Updated

	@Bean
	OAuth2AuthorizedClientManager authorizedClientManager(
			ClientRegistrationRepository clientRegistrationRepository,
			OAuth2AuthorizedClientRepository authorizedClientRepository) {

		OAuth2AuthorizedClientProvider authorizedClientProvider =
				OAuth2AuthorizedClientProviderBuilder.builder()
						.clientCredentials(configurer ->
								configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient()))
						.build();

		DefaultOAuth2AuthorizedClientManager authorizedClientManager =
				new DefaultOAuth2AuthorizedClientManager(
						clientRegistrationRepository, authorizedClientRepository);
		authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

		return authorizedClientManager;
	}

	private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient() {
		RestOperations accessTokenClient = null;		// TODO Configure
		DefaultClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient = new DefaultClientCredentialsTokenResponseClient();
		clientCredentialsTokenResponseClient.setRestOperations(accessTokenClient);
		return clientCredentialsTokenResponseClient;
	}
0reactions
jgrandjacommented, Jul 28, 2020

Closing in favour of #8882. Please see ClientRegistrations and provide any additional feedback there.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Spring Security 5 Replacement for OAuth2RestTemplate
In my use case all I want to do is make a request with a RestTemplate to an external service that is protected...
Read more >
Configure a RestTemplate with RestTemplateBuilder - Baeldung
Let's start by discussing the three main configuration types: using the default RestTemplateBuilder; using a RestTemplateCustomizer; creating ...
Read more >
12. OAuth2 - Spring
A ClientRegistration can be initially configured using discovery of an OpenID Connect Provider's Configuration endpoint or an Authorization Server's Metadata ...
Read more >
OAuth 2.0 Patterns with Spring Cloud Gateway - Okta Developer
Now let's create an API Gateway with Spring Cloud Gateway, using Spring ... spring: application: name: gateway cloud: gateway: discovery: ...
Read more >
Spring Security 5 OAuth2 OIDC Example - Code Tinkering
Used in conjunction with RFC 7592 - dynamic client management; Authorization Server Metadata (RFC 8414) - acts as an OAuth discovery document ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri

Next page

Allow deep customize for nonstandard OAuth 2.0 provider.