I am using Spring Boot 2.4.0 and Spring Cloud 2020.0.0-M6

I just migrated the OAuth clients in my codebase from using Spring Security OAuth to using Spring Security 5's OAuth support (following https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide)

I got all of my clients to successfully retrieve tokens and send them along to downstream services appropriately. However once I got this to work, I noticed that I could no longer access any of my Spring Boot Actuator endpoints which had been protected by Basic Authentication.

After debugging, I discovered that the reason is because in UserDetailsServiceAutoConfiguration the instantiation of the InMemoryUserDetailsManager is gated by the existence of the ClientRegistrationRespository:

https://github.com/spring-projects/spring-boot/blob/8bab47dacb2ba9274636209a281be99cc528c245/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/UserDetailsServiceAutoConfiguration.java#L70-L81 You can see from https://github.com/spring-projects/spring-boot/issues/10531#issuecomment-359142658 that this was a deliberate decision, but there are legitimate use cases where we would want both OAuth2 and Basic Authentication.

My specific use case is only using OAuth2 for downstream communication, but needing basic authentication for Actuator endpoints.

Could we please add a property that allows the InMemoryUserDetailsManager bean to be built so that we do not have to copy/past configuration code to get this to work?

Comment From: wilkinsona

There's a little bit of background for this on Gitter.

Comment From: mbhave

@solidjb InMemoryUserDetailsManager, as stated in its javadoc, is meant mainly for testing purposes and not recommended for use in production. Furthermore, starting with Spring Boot 2.0, we've tried to keep the security auto-configuration as simple as possible. In this case, since the application requires OAuth and the actuators need basic auth, we think it is best if custom configuration such as this is completely controlled by the user. I don't think there is much to gain by adding a property as adding the bean isn't that much code. Thanks anyway for the suggestion.