- replace any spring-addons starter with
com.c4-soft.springaddons:spring-addons-starter-oidc - replace any spring-addons test starter with
com.c4-soft.springaddons:spring-addons-starter-oidc-test - depending or your needs, add a dependency to
org.springframework.boot:spring-boot-starter-oauth2-resource-serverfor a REST API secured with access tokensorg.springframework.boot:spring-boot-starter-oauth2-clientwhen configuringspring-cloud-gatewayas BFF or exposing server-side rendered templates with frameworks like Thymeleaf- both of above when exposing publicly both a REST API secured with access tokens and other resources secured with sessions
- rename
SpringAddonsSecurityPropertiestoSpringAddonsOidcProperties. Also, if using nested properties, renamegetIssuers()togetOps()getLocation()togetIss()
- replace
SpringAddonsOAuth2ClientPropertieswithSpringAddonsOidcProperties::getClient(onlySpringAddonsOidcPropertiescan be autowired) - organize imports
- replace
@AutoConfigureAddonsSecuritywith@AutoConfigureAddonsMinimalSecurity - replace
@AutoConfigureAddonsWebSecuritywith one of:@AutoConfigureAddonsWebmvcSecurity@AutoConfigureAddonsWefluxSecurity
This is probably the most tedious part of the migration. Hopefully, your IDE auto-completion and syntax highliting should help you there.
- rename
com.c4-soft.springaddons.securitytocom.c4-soft.springaddons.oidc - rename
issuerstoopswhich stands for OpenID Providers (com.c4-soft.springaddons.security.issuersbecomescom.c4-soft.springaddons.oidc.ops) - rename OpenID Providers
locationtoiss: if set, the is used to add an "issuer" (tokensissclaim) validator to JWT decoder (com.c4-soft.springaddons.security.issuers[].locationbecomescom.c4-soft.springaddons.oidc.ops[].iss) - rename
audiencetoaud: if set, the is used to add an "audience" (tokensaudclaim) validator to JWT decoder (com.c4-soft.springaddons.security.issuers[].audbecomescom.c4-soft.springaddons.oidc.ops[].aud)
CORS configuration has also improved for both clients and resource servers: allowed-origin-patterns is used instead of allowed-origins. This is a requirement for using allow-credentials and is also more flexible: you can define ant patterns like https://*.my-domain.pf.
- rename
allowed-originstoallowed-origin-patterns - add
allow-credentialsandmax-ageif it makes sens (this are added configuration options)
Resource server Security(Web)FilterChain can now be completely disabled with com.c4-soft.springaddons.security.resourceserver.enabled=false
Resource server specific properties are grouped in a new resourceserver subset:
- move
corsdown 1 level intoresourceserver(com.c4-soft.springaddons.security.corsbecomescom.c4-soft.springaddons.oidc.resourceserver.cors) - move
permit-alldown one level toresourceserver(com.c4-soft.springaddons.security.permit-allbecomescom.c4-soft.springaddons.oidc.resourceserver.permit-all)
- rename
allowed-originstoallowed-origin-patterns(com.c4-soft.springaddons.security.client.cors.allowed-originsbecomescom.c4-soft.springaddons.security.client.cors.allowed-origin-patterns) oauth2-logoutis now a map indexed by client registraion ID instead of being an array. Useclient-registration-idas key for each entry for the remaining properties. For instance:
oauth2-logout:
- client-registration-id: cognito-confidential-user
uri: https://spring-addons.auth.us-west-2.amazoncognito.com/logout
client-id-request-param: client_id
post-logout-uri-request-param: logout_uri
- client-registration-id: auth0-confidential-user
uri: ${auth0-issuer}v2/logout
client-id-request-param: client_id
post-logout-uri-request-param: returnTobecomes
oauth2-logout:
cognito-confidential-user:
uri: https://spring-addons.auth.us-west-2.amazoncognito.com/logout
client-id-request-param: client_id
post-logout-uri-request-param: logout_uri
auth0-confidential-user:
uri: ${auth0-issuer}v2/logout
client-id-request-param: client_id
post-logout-uri-request-param: returnTowhere cognito and auth0 are the values of spring.security.oauth2.client.registration.cognito-confidential-user.provider and spring.security.oauth2.client.registration.auth0-confidential-user.provider