Expected Behavior
It would be nice if Spring framework can automatically configure OAuth2 resource server for either JWT or Opaque token validation depending on what properties the user has set.
For e.g. if the user has set the below properties, then Spring should automatically attempt to configure JWT validation (without the user having to specify it in configure method):
spring.security.oauth2.resourceserver.jwt.issuer-uri
spring.security.oauth2.resourceserver.jwt.jwk-set-uri
And if below properties are set, then Spring must auto configure Opaque Token validation mode:
spring.security.oauth2.resourceserver.opaquetoken.client-id
spring.security.oauth2.resourceserver.opaquetoken.client-secret
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri
Current Behavior
Currently, it requires the user to explicitly specify the OAuth2 resource server configuration to validate either JWT or Opaque Token.
@Configuration
public class SampleConfigurerAdapter extends org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().authenticated()
.and()
// .oauth2ResourceServer().jwt(); // do either JWT or Opaque at a time
.oauth2ResourceServer().opaqueToken();
...
...
}
}
Context
Comment From: jzheaux
Hi, @arvindkrishnakumar-okta, thanks for the suggestion. Unless I've misunderstood you, though, we'll unfortunately have to decline.
If you don't specify a WebSecurityConfigurerAdapter, Spring already works as you describe. Spring Boot is what reads your properties and configures a WebSecurityConfigurerAdapter instance.
Once you configure your own WebSecurityConfigurerAdapter, Spring Boot won't configure one for you. And, any WebSecurityConfigurerAdapter must specify its authentication mechanisms. You'll notice that Spring Boot has to obey the same rules.