Expected Behavior
ClientRegistrations RestTemplate is configurable.
Current Behavior
ClientRegistrations RestTemplate is not configurable, see code
Context
Currently the ClientRegistrations RestTemplate does not allow customization. As of July 2020 this was the agreed upon design (https://github.com/spring-projects/spring-security/issues/8882#user-content-client-registrations).
My use case is to utilize a custom key store and trust store for the oauth2 client to communicate with the authentication server. In order for the oauth2 client to utilize a custom key store and trust store the jvm defaults must be updated.
-Djavax.net.ssl.trustStore=XXXX
-Djavax.net.ssl.trustStorePassword=XXXX
-Djavax.net.ssl.keyStore=XXXX
-Djavax.net.ssl.keyStoreAlias=XXXX
-Djavax.net.ssl.keyStorePassword=XXXX
This seems to be overkill, requiring an update to the jvm defaults in order to update the oauth2 client configuration. Given that the RestTemplate is highly configurable, why not expose the RestTemplate for configuration? A configuration could look like below: 1. SSL Bundles.
spring.security.oauth2.client.registration.[registrationId].ssl.bundle
- SSL configuration
spring.security.oauth2.client.registration.[registrationId].ssl.keystorePath
spring.security.oauth2.client.registration.[registrationId].ssl.keystorePassword
spring.security.oauth2.client.registration.[registrationId].ssl.keyStoreAlias
spring.security.oauth2.client.registration.[registrationId].ssl.trustStorePath
spring.security.oauth2.client.registration.[registrationId].ssl.trustStorePassword
Exposing configuration would allow for tighter control of what configurations are allowed on the RestTemplate. Alternatively the ClientRegistrations RestTemplate could utlize the RestTemplateBuilder as proposed here (https://github.com/spring-projects/spring-security/issues/7027#issuecomment-504049530) and be fully configurable.
Comment From: jzheaux
Duplicate of https://github.com/spring-projects/spring-security/pull/15716 which was just recently merged. Please give 6.4.0-RC1 a try and see if it meets your needs.
Comment From: mluckam
@jzheaux it does not appear the suggested change provides a way in which to update the configuration of the ClientHttpRequestFactory of the RestTemplate of the ClientRegistrations. The ClientHttpRequestFactory allows loading of key material and trust material into the RestTemplate (https://www.baeldung.com/spring-resttemplate-secure-https-service#2-configuring-the-resttemplatefor-https-access). Do you have further insight into how the suggested change can achieve this goal?
Comment From: jzheaux
Hi, @mluckam, thanks for reaching out.
You are correct that it doesn't expose the RestOperations instance or make it configurable. What the added method does is allow you to query your own RestOperations and send ClientRegistrations the result. For more details, you can take a look at the discussion in #14633 from this point onward.