torebal / spring-addons

Ease spring OAuth2 resource-servers configuration and testing

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Ease OAuth2 / OpenID Configuration & Tests in Spring Boot 3

Useful links

Breaking News

Just added a Sponsor this project link to the repo ;-)

In 7.6.0, the experimental support for RestClient and WebClient builders as well as @HttpExchange (the successor of @FeignClient) is moved to a dedicated starter: spring-addons-starter-rest. As a reminder, it helps to get pre-configured client builders and @HttpExchange proxies with this clients

7.5.0 comes with an important refactoring of the way JWT decoder(s) configuration is resolved. This greatly eases "dynamic" multi-tenant scenarios implementation. The only noticeable breaking change is the removal of SpringAddonsOidcProperties::getOpProperties. This feature is now the responsibility of the newly introduced OpenidProviderPropertiesResolver. The default implementation resolves properties with an exact match on issuer (just as getOpProperties was doing). As usual, auto-configured bean backs-off if you expose one to use another properties resolving strategy.

Important warning for those using @WithJwt (and since 7.3.0, @WithMockJwtAuth) but not spring-addons-starter-oidc: you should expose your JWT converter as a bean. See spring-addons-oauth2-test README for details.

With spring-addons-starter-oidc, you might need 0 Java conf, even in scenarios like:

  • accepting tokens issued by several trussted authorization servers
  • mapping authorities from a variety of claims
  • needing custom OAuth2 redirection URI or HTTP status
  • having per environment CORS configuration (not allowing the same origins in staging and prod for instance)
  • exposing CSRF token as a cookie accessible to a single-page application
  • logging out from an authorization server not strictly implementing RP-Initiated Logout (case of Auth0 and Amazon Cognito for instance)
  • adding extra parameters to authorization or token requests (like the audience required by Auth0)

Unit & Integration Testing With Security

Testing access control requires to configure the test security context. For that, spring-security-test provides with MockMvc request post-processors and WebTestClient mutators, but this can work only in the context of a request, which limits its usage to controllers.

To test any type of @Component (@Controller, off course, but also @Service and @Repository) there are only two options:

  • build tests security context by yourself and populate it with stubbed / mocked authentications
  • use annotations to do it for you (this is where spring-addons-oauth2-test jumps in)

Useful resources:

About

Ease spring OAuth2 resource-servers configuration and testing

License:Apache License 2.0


Languages

Language:Java 100.0%