pblanchardie
commented
2 years ago For user-facing monoliths without reusable APIs, a better minimal option would be "login-only" (without resource server). It was the first version of the previous PR, so it would be easy to reproduce.
Microservices and standard Web Services should not provide "login" but only JWT, so SecurityConfiguration should override the default configuration without oauth2Login(). See https://www.baeldung.com/spring-webclient-oauth2#avoiding-oauth2login
"login" must not be confused with "client":
oauth2Login()provides the OAuth2 login feature for end-users interacting with the applicationoauth2Client()is used for machine-to-machine communications, with eg. WebClient
So there is another case, which is "client-only" for a job that calls APIs but doesn't not expose anything. It's a less common scenario, and although I implemented it in a previous attempt, I guess it won't be very useful.
Do you confirm that we prefer distinct endpoints over common endpoints with options?
pascalgrimaud
Currently, the API OAuth2 generates:
After some discussion with @Bolo89 and following this very important comment https://github.com/jhipster/jhipster-lite/issues/270#issuecomment-1014090299 too, let's discuss about how to have a better minimal option for microservice (for example)
cc @Bolo89 @pblanchardie