- OAuth2 security configuration tutorials (with and without
spring-addons-starter-oidc) spring-addons-starter-oidca Spring Boot starter pushing OAuth2 clients & resource server security auto-configuration to the next levelspring-addons-oauth2-testannotations for populating test security-context with OAuth2 authentication instancesspring-addons-starter-oidc-testease unit-tests in applications usingspring-addons-starter-oidcspring-addons-starter-restexperimental auto-configuration forRestClient,WebClientand@HttpExchangeproxies (base-URL, Basic & OAuth2 Bearer auth)- Release Notes
- Maven-Central Reminders
Just added a Sponsor this project link to the repo ;-)
In 7.6.0, the experimental support for RestClient and WebClient builders as well as @HttpExchange (the successor of @FeignClient) is moved to a dedicated starter: spring-addons-starter-rest. As a reminder, it helps to get pre-configured client builders and @HttpExchange proxies with this clients
7.5.0 comes with an important refactoring of the way JWT decoder(s) configuration is resolved. This greatly eases "dynamic" multi-tenant scenarios implementation. The only noticeable breaking change is the removal of SpringAddonsOidcProperties::getOpProperties. This feature is now the responsibility of the newly introduced OpenidProviderPropertiesResolver. The default implementation resolves properties with an exact match on issuer (just as getOpProperties was doing). As usual, auto-configured bean backs-off if you expose one to use another properties resolving strategy.
Important warning for those using @WithJwt (and since 7.3.0, @WithMockJwtAuth) but not spring-addons-starter-oidc: you should expose your JWT converter as a bean. See spring-addons-oauth2-test README for details.
With spring-addons-starter-oidc, you might need 0 Java conf, even in scenarios like:
- accepting tokens issued by several trussted authorization servers
- mapping authorities from a variety of claims
- needing custom OAuth2 redirection URI or HTTP status
- having per environment CORS configuration (not allowing the same origins in staging and prod for instance)
- exposing CSRF token as a cookie accessible to a single-page application
- logging out from an authorization server not strictly implementing RP-Initiated Logout (case of Auth0 and Amazon Cognito for instance)
- adding extra parameters to authorization or token requests (like the
audiencerequired by Auth0)
Testing access control requires to configure the test security context. For that, spring-security-test provides with MockMvc request post-processors and WebTestClient mutators, but this can work only in the context of a request, which limits its usage to controllers.
To test any type of @Component (@Controller, off course, but also @Service and @Repository) there are only two options:
- build tests security context by yourself and populate it with stubbed / mocked authentications
- use annotations to do it for you (this is where spring-addons-oauth2-test jumps in)
Useful resources:
- spring-addons-oauth2-test contains tests annotations and its README documents usage
- spring-addons-starter-oidc-test if you use
spring-addons-starter-oidc - Baeldung arcticle
- samples and tutorials source-code (which contain a lot of unit and integration testing)