- OAuth2 security configuration tutorials (with and without
spring-addons-starter-oidc) spring-addons-starter-oidca Spring Boot starter pushing OAuth2 clients & resource server security auto-configuration to the next levelspring-addons-oauth2-testannotations for populating test security-context with OAuth2 authentication instancesspring-addons-starter-oidc-testease unit-tests in applications usingspring-addons-starter-oidcspring-addons-starter-restexperimental auto-configuration forRestClient,WebClientand@HttpExchangeproxies (base-URL, Basic & OAuth2 Bearer auth)- Release Notes
- Maven-Central Reminders
In 7.7.0, some @ConfigurationProperties were changed to inner-class definition (instead of standing in a source file of their own). Migration should be no more complicated than organizing imports.
The OAuth2 BFF tutorial is now on Baeldung. It was deeply refreshed in the process and now contains samples for Angular, React (Next.js) and Vue (Vite).
With spring-addons-starter-oidc, you might need 0 Java conf, even in scenarios like:
- accepting tokens issued by several trussted authorization servers
- mapping authorities from a variety of claims
- needing custom OAuth2 redirection URI or HTTP status
- having per environment CORS configuration (not allowing the same origins in staging and prod for instance)
- exposing CSRF token as a cookie accessible to a single-page application
- logging out from an authorization server not strictly implementing RP-Initiated Logout (case of Auth0 and Amazon Cognito for instance)
- adding extra parameters to authorization or token requests (like the
audiencerequired by Auth0)
Testing access control requires to configure the test security context. For that, spring-security-test provides with MockMvc request post-processors and WebTestClient mutators, but this can work only in the context of a request, which limits its usage to controllers.
To test any type of @Component (@Controller, off course, but also @Service and @Repository) there are only two options:
- build tests security context by yourself and populate it with stubbed / mocked authentications
- use annotations to do it for you (this is where spring-addons-oauth2-test jumps in)
Useful resources:
- spring-addons-oauth2-test contains tests annotations and its README documents usage
- spring-addons-starter-oidc-test if you use
spring-addons-starter-oidc - Baeldung article
- samples and tutorials source-code (which contain a lot of unit and integration testing)