Provide support for OAuth2 in Spring Config Client.

[cobar79]

I would like to implement OAuth2 resource server in the Spring Config Server and require JWT for all configuration requests.

Is your feature request related to a problem? Please describe.

I can't seem to find any method to implement a Spring Security OAuth2 Client Provider to the Spring Cloud Client call.
Overriding ConfigServicePropertySourceLocator
#177 and Adding Generic "Authorization" support for Config Client do not appear to work with current import connection framework "optional:configserver:http://${env.config.hostname}:${env.config.port}/config-server"
The call to the Configuration Server is made before the ConfigServicePropertySourceLocator is instantiated.

Describe the solution you'd like
I would like to use the same implementation used for Machine to Machine OAuth2 communication where by the Spring Security handles obtaining and refreshing the Bearer Token to be passed to the Spring Config Server calls on startup. Preferably a WebClient over RestTemplate solution.

    @Bean
    ReactiveClientRegistrationRepository clientRegistrations(
        @Value("${spring.security.oauth2.client.provider.keycloak-client.token-uri}") String tokenUri,
        @Value("${spring.security.oauth2.client.registration.keycloak-client.client-id}") String clientId,
        @Value("${spring.security.oauth2.client.registration.keycloak-client.client-secret}") String clientSecret,
        @Value("${spring.security.oauth2.client.registration.keycloak-client.scope}") String scope,
        @Value("${spring.security.oauth2.client.registration.keycloak-client.authorization-grant-type}") String authorizationGrantType
    ) {

        Collection<String> scopeList = Arrays.asList(scope.split(","));

        ClientRegistration registration = ClientRegistration
            .withRegistrationId(registrationId)
            .tokenUri(tokenUri)
            .clientId(clientId)
            .clientSecret(clientSecret)
            .scope(scopeList)
            .authorizationGrantType(new AuthorizationGrantType(authorizationGrantType))
            .build();
        return new InMemoryReactiveClientRegistrationRepository(registration);
    }

    @Bean(value = "authWebClient")
    WebClient authWebClient(ReactiveClientRegistrationRepository clientRegistrations) {
        InMemoryReactiveOAuth2AuthorizedClientService clientService = new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrations);
        AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations, clientService);
        ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
        oauth.setDefaultClientRegistrationId(registrationId);
        return WebClient.builder()
            .filter(oauth)
            .baseUrl(baseUrl)
            .build();
    }

Describe alternatives you've considered
A method to intercept the Spring Config Server rest call, call the IDP and include the Bearer Token manually, there by bypassing the current RestTemplate and any Basic Authentication.

Additional context
Spring Boot 3.1.2, Spring Security 6.1.2
Keycloak OAuth2 implementation

Configuration Server Security

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http, HandlerMappingIntrospector introspector) throws Exception {
        MvcRequestMatcher.Builder mvcMatcherBuilder = new MvcRequestMatcher.Builder(introspector);
        http.anonymous(AbstractHttpConfigurer::disable);
        http.csrf(AbstractHttpConfigurer::disable);
        http.authorizeHttpRequests(authorize -> authorize
            .requestMatchers(mvcMatcherBuilder.pattern("/" + appName + "/actuator/**")).hasRole("actuator")
            .requestMatchers(mvcMatcherBuilder.pattern("/" + appName + "/**")).hasRole("m2m")
            //Permit webhook refresh access without authorization
            .requestMatchers(mvcMatcherBuilder.pattern("/" + appName + "/monitor")).permitAll()
            .anyRequest()
            .authenticated()
        );

        http.oauth2ResourceServer(authorize ->
            authorize.jwt(jwt -> jwt.jwtAuthenticationConverter(keycloakJwtTokenConverter))
                .authenticationEntryPoint(customAuthenticationEntryPoint)
        );

        http.sessionManagement(session -> session
            .sessionCreationPolicy(stateless? SessionCreationPolicy.STATELESS: SessionCreationPolicy.IF_REQUIRED)
        );
        return http.build();
    }

[ryanjbaxter]

The commercial offer of Spring Cloud, Spring Cloud Services, uses OAuth2 to authorize the client to use the config server.
You can find the code for how they do that here
spring-cloud-services-config-client-autoconfigure/src/main/java/io/pivotal/spring/cloud/config/client

I suppose you could do something similar.

[cobar79]

spring-cloud-services-starters looks to be a heavy port.

I was looking for a 3-5 story point way of overwriting the current RestTemplate logic.

Unfortunately, attempts of old school filter/interceptors did not work as the call was made before the filter/interceptors where instantiated. I guess I will look at extending the existing framework to override the basic authorization.

[cobar79]

@ryanjbaxter Should I just close this? It was meant as a feature request. However, it doesn't look it is being considered.

[ryanjbaxter]

I am not saying you need to port exactly what spring-cloud-services did I am just showing that it is possible to authorize the client before the request to the server is made, specifically I think this class is where that is done.

https://github.com/pivotal-cf/spring-cloud-services-starters/blob/29b7961ec57ec918110b669fb2409d55aacc8974/spring-cloud-services-config-client-autoconfigure/src/main/java/io/pivotal/spring/cloud/config/client/ConfigResourceClientAutoConfiguration.java#L39

@kvmw am I correct?

[kvmw]

@ryanjbaxter @cobar79 ,
You need to configure the RestTemplate in 2 different places :

1. Firstly, you need a BootstrapRegistryInitializer. Since the call to config-server is done during the application startup you need to configure the RestTemplate before startup, during the bootstrapping using a BootstrapRegistryInitializer. check ConfigClientOAuth2BootstrapRegistryInitializer in SCS Starters, for example. This has been mentioned in the Spring Cloud Config Docs too.

2. Also, if your client application consumes plain text or binary resources, you need to configure a ConfigResouceClient as well. check ConfigResourceClientAutoConfiguration in SCS Starters, for example. You can ignore this configuration if you don't need to consume such resources.

The ConfigResourceClientAutoConfiguration which was mentioned above by @ryanjbaxter, is for the client applications with legacy processing enabled. This is the alternative for BootstrapRegistryInitializer and you can ignore it if your application is developed recently and does not need legacy processing.

@ryanjbaxter ,
It would be nice if ConfigServerConfigDataLoader in Spring Cloud Config Client would provide an easier way to inject the RestTemplate. I don't know if alternative approach is even possible but the current one (using BootstrapRegistryInitializer) is not the most straightforward and intuitive one.

[ryanjbaxter]

I am not sure there would be an easier way because we are so early in the startup of the Boot application at the point we are loading configuration.