Ease OAuth2 / OpenID Configuration & Tests in Spring Boot 3

Useful links

• OAuth2 security configuration tutorials (with and without spring-addons-starter-oidc)
• spring-addons-starter-oidc a Spring Boot starter pushing OAuth2 clients & resource server security auto-configuration to the next level
• spring-addons-oauth2-test annotations for populating test security-context with OAuth2 authentication instances
• spring-addons-starter-oidc-test ease unit-tests in applications using spring-addons-starter-oidc
• spring-addons-starter-rest experimental auto-configuration for RestClient, WebClient and @HttpExchange proxies (base-URL, Basic & OAuth2 Bearer auth)
• Release Notes
• Maven-Central Reminders

Breaking News

Just added a Sponsor this project link to the repo ;-)

The OAuth2 BFF tutorial is now on Baeldung. It was deeply refreshed in the process and now contains samples for Angular, React (Next.js) and Vue (Vite).

In 7.6.0, the experimental support for RestClient and WebClient builders as well as @HttpExchange (the successor of @FeignClient) is moved to a dedicated starter: spring-addons-starter-rest. As a reminder, it helps to get pre-configured client builders and @HttpExchange proxies with this clients

7.5.0 comes with an important refactoring of the way JWT decoder(s) configuration is resolved. This greatly eases "dynamic" multi-tenant scenarios implementation. The only noticeable breaking change is the removal of SpringAddonsOidcProperties::getOpProperties. This feature is now the responsibility of the newly introduced OpenidProviderPropertiesResolver. The default implementation resolves properties with an exact match on issuer (just as getOpProperties was doing). As usual, auto-configured bean backs-off if you expose one to use another properties resolving strategy.

Important warning for those using @WithJwt (and since 7.3.0, @WithMockJwtAuth) but not spring-addons-starter-oidc: you should expose your JWT converter as a bean. See spring-addons-oauth2-test README for details.

OIDC starter

With spring-addons-starter-oidc, you might need 0 Java conf, even in scenarios like:

• accepting tokens issued by several trussted authorization servers
• mapping authorities from a variety of claims
• needing custom OAuth2 redirection URI or HTTP status
• having per environment CORS configuration (not allowing the same origins in staging and prod for instance)
• exposing CSRF token as a cookie accessible to a single-page application
• logging out from an authorization server not strictly implementing RP-Initiated Logout (case of Auth0 and Amazon Cognito for instance)
• adding extra parameters to authorization or token requests (like the audience required by Auth0)

Unit & Integration Testing With Security

Testing access control requires to configure the test security context. For that, spring-security-test provides with MockMvc request post-processors and WebTestClient mutators, but this can work only in the context of a request, which limits its usage to controllers.

To test any type of @Component (@Controller, off course, but also @Service and @Repository) there are only two options:

• build tests security context by yourself and populate it with stubbed / mocked authentications
• use annotations to do it for you (this is where spring-addons-oauth2-test jumps in)

Useful resources:

• spring-addons-oauth2-test contains tests annotations and its README documents usage
• spring-addons-starter-oidc-test if you use spring-addons-starter-oidc
• Baeldung article
• samples and tutorials source-code (which contain a lot of unit and integration testing)