Describe the bug Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://.../.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:888) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:868) at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:714) at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163) at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216) ... 58 common frames omitted

To Reproduce Don't have the SSL certificate in the cacerts and use Spring boot security - oauth2 client 6.1.5

Expected behavior Either it should depend on the RestTemplate bean or should accept the certificate.

Sample Used SSL configuration as well

spring: ssl: bundle: pem: client: truststore: certificate: "classpath:config/tls/certs.crt" server: ssl: bundle: "client" http2: enabled: true

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: ZIRAKrezovic

I had the same issue but the resolution was ultimately set to "Won't Fix". I hope with one more person around with the same problem they'll change their mind.

https://github.com/spring-projects/spring-security/issues/14176

Comment From: sjohnr

@Jatish-Khanna thanks for reaching out!

As pointed out by @ZIRAKrezovic, we have had similar reports in the past. Please see this comment on gh-8882, which states:

ClientRegistrations is intended to be used as a utility/convenience class. It was designed to fulfill most use cases, however, it may not be suitable for certain use cases. For example, if the internal network traffic must be routed through a Proxy, you can bypass discovery by configuring the authorization-uri and token-uri property instead of the issuer-uri property.

You are encouraged to specify the ClientRegistrationRepository yourself, as the convenience of the ClientRegistrations utility class used by Spring Boot when configuring from properties is not intended for advanced cases like this one.

For other aspects of OAuth2 Client, we have added a feature in the 6.2 release (see gh-13587) that simplifies configuration. The reference docs include an example of how to customize the RestOperations used by OAuth2 Client components.

In other words, you can override all of the components you need by publishing your own beans. As stated in the above comment, there are no plans to integrate directly with a Spring Boot provided RestTemplate. See the comment and issue for context on that.

I'm going to close this with the above explanation. If you have any questions about the new feature in 6.2 or anything else, please feel free to open a stackoverflow question and post a link here and I'll be happy to take a look! If you have any suggested improvements, please open a specific issue and link it here.