Closed
Description
Describe the bug
When ClientRegistrations is used to obtain meta data from issuer that has an invalid HTTPS certificate (in my case, self-signed), it fails with error
Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://redacted/keycloak/realms/redacted"
at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:228)
at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:152)
at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesMapper.java:97)
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://redacted/keycloak/realms/redacted/.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path t
o requested target
at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:905)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:885)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:731)
at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163)
at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216)
To Reproduce
Minimal application.yml
spring:
security:
oauth2:
client:
registration:
keycloak:
client-id: secret
client-secret: secret
provider:
keycloak:
issuer-uri: https://redacted/keycloak/realms/realm
user-name-attribute: preferred_username
Dependencies
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
Configuration bean
@Configuration
@EnableWebFluxSecurity
public class SecurityConfiguration {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http.oauth2Login(withDefaults()).build();
}
}
Spring Boot 3.2.0-RC2, Spring Security 6.2.0-RC2
Expected behavior
I can override WebClient instances for each service that calls my provider and provide a valid TLS certification path. But I cannot do it for ClientRegistrations.
Sample
A link to a GitHub repository with a minimal, reproducible sample.
Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.