Replacement for OAuth2FeignRequestInterceptor from spring-cloud-security?

[ralf-br]

Is your feature request related to a problem? Please describe.
For my Feign Clients I need to add an RequestInterceptor which enhances the requests with an OAuth Bearer Token. I still use the OAuth2FeignRequestInterceptor. But it simply states @deprecated will move to Spring Cloud Openfeign in next major release

I need quite it's features as the oAuth provider Auth0 requires a non standard attribute "audience" - so I configure the interceptor with customized versions of DefaultOAuth2ClientContext, DefaultAccessTokenRequest, DefaultRequestEnhancer, ClientCredentialsAccessTokenProvider (which themselves all get @deprecated - but the Migration Guide doesn't really help me yet)

Describe the solution you'd like
A 1:1 replacement for the OAuth2FeignRequestInterceptor
or an equivalent which can handle additional attributes in the token request needed for Auth0 ("audience").

Describe alternatives you've considered
I stay with the deprecated OAuth2FeignRequestInterceptor and ignore all the Warnings in the logs and IDE 👎

Additional context
There is also a question on StackOverflow addressing this issue from somebody else - but no answers or ideas yet.

[spencergibb]

See spring-attic/spring-cloud-security#231

[spadge4711]

@spencergibb this issue was not resolved: the OAuth2FeignRequestInterceptor class was moved to spring-cloud-openfeign, but the dependent classes like OAuth2ClientContext & OAuth2ProtectedResourceDetails have been deprecated and are now missing in spring security 5.x

[wikisamuel]

I agree. ClientCredentialsResourceDetails is missing too.

[mxmlnglt]

... and what do we do in the mean time then???

[MelleD]

@spencergibb Is it just moving the classes or is there a bigger problem with the integration? The project will soon be EOL, so a complete migration would be great.

[spencergibb]

it's more than moving classes. It is a rewrite. see spring-cloud/spring-cloud-gateway@96be5f4 for the gateway example

[mxmlnglt]

FYI, I managed to code my own "custom" OAuth2FeignRequestInterceptor by following one of the answers here (from @ddewaele ): https://stackoverflow.com/questions/63283022/feign-and-spring-security-5-client-credentials

But there are other similar questions @ https://stackoverflow.com/search?q=OAuth2FeignRequestInterceptor

[cforce]

I can not distill from above comments and stack overflow what is a valid approach bassing on spring security 5.
I am missing integration/migration guides for feign like this one https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide where Feign unfortunately is not handled.
@spencergibb please give advice

[lvohra]

looks like Swagger’s default template is using OAuth2 for the client generation along with other custom interceptors.

i injected dependency manually with sprinng 2.5.5 and it works:

implementation group: 'org.springframework.cloud', name: 'spring-cloud-security', version: '2.0.0.RELEASE'

[MelleD]

Is there an update and a solution here?

if not does anyone have an example of what to implement exactly? The example with the gateway didn't get me any further...

[mxmlnglt]

@MelleD

did you check my tips above?

[MelleD]

@mxmlnglt yes a POC works with this approach. Did not try what happen if the token is expired, but IMHO would that be a good general interceptor, but ok.

[mikeut]

Hi, I'm having a problem with this in Spring Boot 3, spring cloud 2022.0.3, and spring-security-oauth 2.5.2-RELEASE. I'm trying to generate a feign client with the usage of openapi-generator-maven-plugin and I keep getting the error:

package org.springframework.cloud.security.oauth2.client.feign does not exist

The pom file I'm using:

`

<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>example-client</artifactId>
<version>${revision}</version>
<packaging>jar</packaging>
<name>client</name>

<properties>
    <revision>1.0-SNAPSHOT</revision>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
    <!-- Spring -->

    <spring-boot.version>3.1.1</spring-boot.version>
    <spring-cloud.version>2022.0.3</spring-cloud.version>
    <spring-security-oauth2.version>2.5.2.RELEASE</spring-security-oauth2.version>
    <!-- OpenAPI -->
    <jackson-databind-nullable.version>0.2.4</jackson-databind-nullable.version>
    <!-- Maven plugins -->
    <plugin.openapi-generator.version>7.0.0-beta</plugin.openapi-generator.version>
    <jacoco-plugin.version>0.8.10</jacoco-plugin.version>
    <whitesource-plugin.version>20.7.1</whitesource-plugin.version>
    <compiler-plugin.version>3.8.1</compiler-plugin.version>
    <compiler-plugin.version>3.8.1</compiler-plugin.version>
    <surefire-plugin.version>3.1.0</surefire-plugin.version>
</properties>

<dependencyManagement>
    <dependencies>
        <!-- Spring Boot BOM -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-dependencies</artifactId>
            <version>${spring-boot.version}</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        <!-- Feign -->
        <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-dependencies</artifactId>
            <version>${spring-cloud.version}</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

<dependencies>
    <dependency>
        <groupId>javax.inject</groupId>
        <artifactId>javax.inject</artifactId>
        <version>1</version>
    </dependency>
    <!-- Spring Feign -->
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-openfeign</artifactId>
        <exclusions>
            <exclusion>
                <artifactId>spring-web</artifactId>
                <groupId>org.springframework</groupId>
            </exclusion>
            <exclusion>
                <artifactId>snakeyaml</artifactId>
                <groupId>org.yaml</groupId>
            </exclusion>
        </exclusions>
    </dependency>
    <!-- Spring security -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-oauth2-client</artifactId>
        <exclusions>
            <exclusion>
                <artifactId>spring-security-core</artifactId>
                <groupId>org.springframework.security</groupId>
            </exclusion>
            <exclusion>
                <artifactId>spring-security-web</artifactId>
                <groupId>org.springframework.security</groupId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>${spring-security-oauth2.version}</version>
        <exclusions>
            <exclusion>
                <artifactId>spring-webmvc</artifactId>
                <groupId>org.springframework</groupId>
            </exclusion>
            <exclusion>
                <artifactId>spring-security-config</artifactId>
                <groupId>org.springframework.security</groupId>
            </exclusion>
            <exclusion>
                <artifactId>spring-security-web</artifactId>
                <groupId>org.springframework.security</groupId>
            </exclusion>
        </exclusions>
    </dependency>

    <!-- JSON -->
    <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-annotations</artifactId>
    </dependency>
    <dependency>
        <groupId>com.fasterxml.jackson.core</groupId>
        <artifactId>jackson-databind</artifactId>
    </dependency>
    <!-- OpenAPI -->
    <dependency>
        <groupId>org.openapitools</groupId>
        <artifactId>jackson-databind-nullable</artifactId>
        <version>${jackson-databind-nullable.version}</version>
    </dependency>
    <dependency>
        <groupId>jakarta.validation</groupId>
        <artifactId>jakarta.validation-api</artifactId>
    </dependency>
    <!-- Testing -->
    <dependency>
        <groupId>org.junit.jupiter</groupId>
        <artifactId>junit-jupiter-api</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

<build>
    <plugins>
        <!-- Generate sources from OpenAPI definition -->
        <plugin>
            <groupId>org.openapitools</groupId>
            <artifactId>openapi-generator-maven-plugin</artifactId>
            <version>${plugin.openapi-generator.version}</version>
            <executions>
                <execution>
                    <phase>generate-sources</phase>
                    <goals>
                        <goal>generate</goal>
                    </goals>
                    <configuration>
                        <generatorName>spring</generatorName>
                        <library>spring-cloud</library>
                        <inputSpec>${project.basedir}/src/main/resources/openapi/openapi.yaml</inputSpec>
                        <output>${project.build.directory}/generated-sources</output>
                        <apiPackage>client.api</apiPackage>
                        <modelPackage>client.model</modelPackage>
                        <removeOperationIdPrefix>true</removeOperationIdPrefix>
                        <configOptions>
                            <sourceFolder>src/gen/java</sourceFolder>
                            <configPackage>client.configuration</configPackage>
                            <dateLibrary>java8-localdatetime</dateLibrary>
                            <booleanGetterPrefix>is</booleanGetterPrefix>
                            <useBeanValidation>true</useBeanValidation>
                            <useSwaggerUI>false</useSwaggerUI>
                            <documentationProvider>none</documentationProvider>
                            <openApiNullable>false</openApiNullable>
                            <useSpringBoot3>true</useSpringBoot3>
                        </configOptions>
                        <verbose>false</verbose>
                    </configuration>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <groupId>org.jacoco</groupId>
            <artifactId>jacoco-maven-plugin</artifactId>
            <version>${jacoco-plugin.version}</version>
            <executions>
                <execution>
                    <id>prepare-agent</id>
                    <goals>
                        <goal>prepare-agent</goal>
                    </goals>
                </execution>
                <execution>
                    <id>report</id>
                    <phase>prepare-package</phase>
                    <goals>
                        <goal>report</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <artifactId>maven-compiler-plugin</artifactId>
            <version>${compiler-plugin.version}</version>
            <configuration>
                <parameters>true</parameters>
            </configuration>
        </plugin>
        <plugin>
            <artifactId>maven-surefire-plugin</artifactId>
            <version>${surefire-plugin.version}</version>
        </plugin>
    </plugins>
</build>

The above-proposed solution can't be used because everything is auto-generated. Did anybody else encounter this problem?

[MelleD]

@mikeut I think you are in the wrong issue tracker, this is related to the open api generator project.
And yes, org.springframework.cloud.security.oauth2.client.feign is no longer used there.