Allow disabling OAuth2 / OIDC provider discovery explicitly #42172
Comments
spring-projects-issues
added
the
status: waiting-for-triage
philwebb
added
the
for: team-meeting
|
+1 / We also have strong requirements that systems should not depend on other systems while starting - so we are also forced to manually configure everything. This leads to interesting problems when e.g. the oauth provider changes something and our configuration gets out of date - which in turn creates hard to troubleshoot problem at first glance. |
How would disabling discovery help with that? I don't understand how it would help to keep your configuration in sync with that of your OAuth provider. |
Good question, Andy! I went a little bit overboard and interpreted a bit too much into the issue, like e.g. true/false and "lazy" loading of the configuration - allowing the application to start, but retrieve the required information on first access. |
|
@jgrandja do you have any thoughts on this suggested change? |
philwebb
added
status: waiting-for-internal-feedback
I can't recall, but the
The @philwebb Maybe the solution is to wrap the in a |
|
Yes, the issuer URI is required for back-channel logout due to how ID Tokens are validated. As a side note, it would certainly be reasonable to give a better error response. I've added spring-projects/spring-security#15771 to address that. |
@jgrandja Yes, this kind of works and is our current solution / workaround: @Bean
public SupplierClientRegistrationRepository clientRegistrationRepository(OAuth2ClientProperties properties) {
return new SupplierClientRegistrationRepository(() -> {
log.info("Loading OAuth2 client registrations");
final var registrations = new OAuth2ClientPropertiesMapper(properties).asClientRegistrations();
return new InMemoryClientRegistrationRepository(registrations);
});
}Works for some scenarios. Might break if one uses This leads me to the question: is it desirable to configure a provider completely without the need of discovery? Or would it be more straight forward to have a local copy of the configuration metadata and use the discovery against the local file copy? |
Yes, you are right, it would break if the provider configuration endpoint was not accessible at startup time. Although the generated login page is only meant to be used at development/test time and not production, we would need to ensure it doesn't break regardless.
It depends on the requirements of your application environment. The way I see it is if your application needs access to the provider configuration endpoint then it needs to ensure the provider is up and running at startup. But if it needs to be more resilient at startup and not depend on the provider then you should be explicit on the provider configuration and not depend on |
philwebb
added
the
for: team-meeting
philwebb
added
type: enhancement
I think it would be useful to disable the OAuth2 / OIDC discovery explicitly. At this moment this is possible implicitly by configuring every necessary detail of the clients registration and provider but skipping the providers
issuerUri. This disables the discovery via OAuth2ClientPropertiesMapper.Why
Someone wants the service to not require the IdP to be available at startup.
Some code may need the
issuerUrito function properly.In fact, there already is such code: Spring Securitys OIDC back channel logout validates the providers
issuerUriin OidcBackChannelLogoutTokenValidator and ends up with a NPE if you did not set anissuerUri.So setting the
issuerUrimeans you are forced to use discovery.Leaving it
nullmeans no working back channel logout, at least not with auto configuration.How?
I'm not quite sure. Maybe a new property:
Setting this to
falsewould opt-out the discovery. The current behaviour should be kept as default.The text was updated successfully, but these errors were encountered: