With the upgrade of Spring Boot from major version 2 to version 3, there were a lot of breaking changes related to Spring Security. So, a lot of the assumptions about OAuth need to be re-assessed. To simplify the Spring Boot upgrade and implementing the new OAuth APIs, Spring Security will be temporarily removed from the project.
User story
Only signed in users should be allowed to see any backend resources.
Those uses should have role-based permissions.
Acceptance criteria
Users that are not signed in should be redirected to a sign-in page
User management should be done with Keycloak or Auth0
The authentication technical concepts should be documented in arc42
The OAuth process should be implemented with the highest current standard (PKCE)
Context
With the upgrade of Spring Boot from major version 2 to version 3, there were a lot of breaking changes related to Spring Security. So, a lot of the assumptions about OAuth need to be re-assessed. To simplify the Spring Boot upgrade and implementing the new OAuth APIs, Spring Security will be temporarily removed from the project.
User story
Only signed in users should be allowed to see any backend resources.
Those uses should have role-based permissions.
Acceptance criteria
Hints
References