Skip to content

Add Spring Authorization Server support #34003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add Spring Authorization Server support #34003

wants to merge 1 commit into from

Conversation

sjohnr
Copy link

@sjohnr sjohnr commented Jan 27, 2023
edited
Loading

This PR introduces support for Spring Authorization Server. It includes:

  • New module spring-boot-starter-oauth2-authorization-server
  • Dependency management of org.springframework.security:spring-security-oauth2-authorization-server
  • Support in spring-boot-autoconfigure for org.springframework.security:spring-security-oauth2-authorization-server

Overview

The auto-configuration is designed to closely match the Getting Started guide in the reference manual. When spring-security-oauth2-authorization-server is detected on the classpath, the following components are optionally registered:

  • RegisteredClientRepository
  • AuthorizationServerSettings
  • SecurityFilterChain for protocol endpoints
  • SecurityFilterChain for user authentication with Form Login
  • com.nimbusds.jose.jwk.source.JWKSource<SecurityContext> with a generated RSA key-pair
  • JwtDecoder that uses the provided JWKSource

Because Spring Authorization Server is built on top of Spring Security, the order in which components are registered in collaboration with existing auto-configuration is important.

The main consideration is that UserDetailsServiceAutoConfiguration continue to be allowed to publish a UserDetailsService if necessary. However, a JwtDecoder must also be published afterwards. This is in-contrast with OAuth2ResourceServerAutoConfiguration which prevents a UserDetailsService from being published.

Configuration

The OAuth2AuthorizationServerProperties allow configuring RegisteredClients and AuthorizationServerSettings. Here is a typical client configuration with default settings:

spring:
  security:
    oauth2:
      authorizationserver:
        client:
          messaging-client:
            registration:
              client-id: messaging-client
              client-secret: "{noop}secret"
              client-authentication-methods:
                - client_secret_basic
              authorization-grant-types:
                - authorization_code
                - refresh_token
                - client_credentials
              redirect-uris:
                - http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc
                - http://127.0.0.1:8080/authorized
              scopes:
                - openid
                - profile
                - message.read
                - message.write
            require-authorization-consent: true

Here is a full configuration example:

spring:
  security:
    oauth2:
      authorizationserver:
        issuer: https://provider.com
        endpoint:
          authorization-uri: /oauth2/authorize
          token-uri: /oauth2/token
          jwk-set-uri: /oauth2/jwks
          token-revocation-uri: /oauth2/revoke
          token-introspection-uri: /oauth2/introspect
          oidc:
            logout-uri: /connect/logout
            client-registration-uri: /connect/register
            user-info-uri: /userinfo
        client:
          messaging-client:
            registration:
              client-id: messaging-client
              client-secret: "{noop}secret"
              client-name: Messaging Client
              client-authentication-methods:
                - client_secret_basic
              authorization-grant-types:
                - authorization_code
                - refresh_token
                - client_credentials
                - urn:ietf:params:oauth:grant-type:device_code
              redirect-uris:
                - http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc
                - http://127.0.0.1:8080/authorized
              post-logout-redirect-uris:
                - http://127.0.0.1:8080/logout
              scopes:
                - openid
                - profile
                - message.read
                - message.write
            require-proof-key: true
            require-authorization-consent: true
            jwk-set-uri: http://127.0.0.1:8080/jwks
            token-endpoint-authentication-signing-algorithm: RS256
            token:
              authorization-code-time-to-live: 5m
              access-token-time-to-live: 5m
              access-token-format: self-contained
              reuse-refresh-tokens: false
              refresh-token-time-to-live: 60m

@sjohnr sjohnr mentioned this pull request Jan 27, 2023
Closed
4 tasks
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 27, 2023
@philwebb philwebb added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 28, 2023
@philwebb philwebb added this to the 3.1.x milestone Jan 28, 2023
@sjohnr sjohnr force-pushed the sas-boot-integration branch 2 times, most recently from 846986b to 02dbdee Compare January 30, 2023 17:21
@mhalbritter
Copy link
Contributor

mhalbritter commented Jan 31, 2023
edited
Loading

Hi! It seems that the two auto-configuration classes OAuth2AuthorizationServerAutoConfiguration and OAuth2AuthorizationServerJwtAutoConfiguration are not configured in the org.springframework.boot.autoconfigure.AutoConfiguration.imports file and won't be loaded.

Is it possible to add a smoke test for the OAuth2 Authorization Server to catch such bugs and verify that it works correctly in a Boot application?

@mhalbritter mhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Jan 31, 2023
@sjohnr sjohnr force-pushed the sas-boot-integration branch from 665324a to 1dbdd61 Compare February 1, 2023 23:17
@sjohnr
Copy link
Author

sjohnr commented Feb 1, 2023

@mhalbritter I've added the imports and a few basic smoke tests.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 1, 2023
@mhalbritter
Copy link
Contributor

Thank you!

@mhalbritter mhalbritter removed the status: feedback-provided Feedback has been provided label Feb 2, 2023
@sjohnr
Copy link
Author

sjohnr commented Feb 7, 2023

Hi @mhalbritter! Just checking to see if there is any additional feedback on this PR? I'm especially interested in feedback related to the config properties. If there's any changes needed, I will sync up with @jgrandja and make any needed updates ready for review.

@mhalbritter
Copy link
Contributor

Hey, i'll bring it up on the next team meeting.

@mhalbritter mhalbritter added the for: team-meeting An issue we'd like to discuss as a team to make progress label Feb 7, 2023
@mbhave mbhave self-assigned this Feb 14, 2023
@mbhave mbhave removed the for: team-meeting An issue we'd like to discuss as a team to make progress label Feb 14, 2023
@sjohnr sjohnr force-pushed the sas-boot-integration branch 4 times, most recently from cc3d1c7 to 1ef34e1 Compare March 14, 2023 18:45
@sjohnr sjohnr force-pushed the sas-boot-integration branch from 1ef34e1 to e4f6c66 Compare March 16, 2023 19:12
@sjohnr sjohnr force-pushed the sas-boot-integration branch from e4f6c66 to 84a20ab Compare March 21, 2023 20:05
mbhave pushed a commit that referenced this pull request Mar 22, 2023
@mbhave
Add Spring Authorization Server support
25d77ee 
See gh-34003
mbhave added a commit that referenced this pull request Mar 22, 2023
@mbhave
Polish "Add Spring Authorization Server support"
e6f602c 
See gh-34003
@mbhave mbhave closed this in ff530e7 Mar 22, 2023
@mbhave
Copy link
Contributor

mbhave commented Mar 22, 2023
edited by wilkinsona
Loading

Thanks for the PR @sjohnr. It's been merged into main along with this polish commit.

@mbhave mbhave modified the milestones: 3.1.x, 3.1.0-M2 Mar 22, 2023
@jgrandja jgrandja mentioned this pull request Apr 3, 2023
Closed
4 tasks
sjohnr pushed a commit to sjohnr/spring-boot that referenced this pull request May 9, 2023
Fix redirect to login page for token requests
8876bb8 
Fixes an issue where auto-configuration for Spring Authorization Server
was overriding the default exception handling (AuthenticationEntryPoint)
resulting in anonymous requests to the token endpoint being redirected
to the Spring Security login page instead of returning 401 Unauthorized.

Auto-configuration now registers a defaultAuthenticationEntryPointFor
that is added to any other entry points already configured.

See spring-projectsgh-34003
@sjohnr sjohnr mentioned this pull request May 9, 2023
Closed
@sjohnr sjohnr deleted the sas-boot-integration branch June 28, 2023 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mbhave mbhave

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
3.1.0-M2
Development

Successfully merging this pull request may close these issues.
5 participants
@sjohnr @mhalbritter @mbhave @philwebb @spring-projects-issues