Skip to content

Spring Security OAuth2 Client Authorized Clients for Spring MVC #36102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
daniel-shuy opened this issue Jun 28, 2023 · 2 comments
Closed

Spring Security OAuth2 Client Authorized Clients for Spring MVC #36102

daniel-shuy opened this issue Jun 28, 2023 · 2 comments
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@daniel-shuy
Copy link

Spring Security OAuth2 Client only supports authorized clients with WebClient, not RestTemplate (https://docs.spring.io/spring-security/reference/6.1/reactive/oauth2/client/authorized-clients.html).

While WebClient works for Spring MVC (Servlet), ReactiveOAuth2ClientAutoConfiguration is only enabled if the application is a reactive web application:

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientAutoConfiguration.java

Lines 43 to 56 in ae50fa6

@Conditional(ReactiveOAuth2ClientAutoConfiguration.NonServletApplicationCondition.class)
@ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ClientRegistration.class })
@Import({ ReactiveOAuth2ClientConfigurations.ReactiveClientRegistrationRepositoryConfiguration.class,
ReactiveOAuth2ClientConfigurations.ReactiveOAuth2ClientConfiguration.class })
public class ReactiveOAuth2ClientAutoConfiguration {
static class NonServletApplicationCondition extends NoneNestedConditions {
NonServletApplicationCondition() {
super(ConfigurationPhase.PARSE_CONFIGURATION);
}
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
static class ServletApplicationCondition {

Trying to use authorized clients with WebClient for Spring MVC fails because there is no ReactiveClientRegistrationRepository bean.

Therefore at the moment, it is not possible to use Spring Security OAuth2 Client Authorized Clients with Spring MVC.

Is there any issue enabling ReactiveOAuth2ClientAutoConfiguration even if the application is not a reactive web application? If not, maybe the @Conditional can be removed from ReactiveOAuth2ClientAutoConfiguration.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 28, 2023
@wilkinsona
Copy link
Member

Thanks for the suggestion. Things used to work this way but the conditions were changed based on a recommendation from @rwinch. Some changes to this were discussed in #27839 but it didn't really reach a conclusion.

Have you seen this Spring Security sample that @mbhave linked to in #27839? It shows how a WebClient that uses authorized clients can be set up in a Servlet environment.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Jun 28, 2023
@daniel-shuy
Copy link
Author

My bad, didn't notice the documentation under the servlet applications section (https://docs.spring.io/spring-security/reference/6.1/servlet/oauth2/client/authorized-clients.html), I'll close this issue, thanks for the quick reply!

@wilkinsona wilkinsona added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged labels Jun 28, 2023
@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jun 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @daniel-shuy