Make "OpaqueTokenIntrospector" an optional bean

[sabbyanandan]

As a developer, while integrating with Azure AD, I notice the OpaqueTokenIntrospector bean is automatically created; however, in Azure AD there's no support for "introspection" endpoint yet, so it needs to be an optional property.

OAuthSecurityConfiguration class creates a OpaqueTokenIntrospector bean, expecting the following additional configuration to be present:

spring:
  security:
    oauth2:
      ...
      resourceserver:
        opaquetoken:
          introspection-uri: http://this.is.wrong:8080/introspect
          client-id: the_client_id_from_the_app_registration
          client-secret: the_client_secret_from_the_app_registration

Acceptance:

• Determine what is the best way to optionally require introspection-uri
• Adjust the validation rules accordingly
• Adjust the test coverage, as well

[jvalkeal]

When we moved away from supporting LDAP in favour of just "oauth", opaque token introspection was kinda replacement. It's baked in rather deep in our security classes to map scopes into roles, etc. As Azure AD don't have introspection endpoint, afaik, we'd need to bring back all these ways to handle AD groups.