Skip to content

ClientRegistrations RestTemplate not configurable #14176

Closed
@ZIRAKrezovic

Description

@ZIRAKrezovic

Describe the bug

When ClientRegistrations is used to obtain meta data from issuer that has an invalid HTTPS certificate (in my case, self-signed), it fails with error

Caused by: java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of "https://redacted/keycloak/realms/redacted"
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:228)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromIssuerLocation(ClientRegistrations.java:152)
        at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesMapper.java:97)
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://redacted/keycloak/realms/redacted/.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path t
o requested target
        at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:905)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:885)
        at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:731)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163)
        at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216)

To Reproduce

Minimal application.yml

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            client-id: secret
            client-secret: secret
        provider:
          keycloak:
            issuer-uri: https://redacted/keycloak/realms/realm
            user-name-attribute: preferred_username

Dependencies

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-oauth2-client</artifactId>
</dependency>

Configuration bean

@Configuration
@EnableWebFluxSecurity
public class SecurityConfiguration {
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http.oauth2Login(withDefaults()).build();
    }
}

Spring Boot 3.2.0-RC2, Spring Security 6.2.0-RC2

Expected behavior

I can override WebClient instances for each service that calls my provider and provide a valid TLS certification path. But I cannot do it for ClientRegistrations.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: declinedA suggestion or change that we don't feel we should currently applytype: bugA general bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions