Unable to include spring security config into main project for development of an extension within spring authorisation server

[darkedges]

I am trying to develop an extension within spring authorisation server and need to extend spring security config as part of it. I can get both projects to work seperately but when I try and add spring security config as a project dependency to spring authorisation server I get

Build file 'E:\development\github\spring\spring-security\build.gradle' line: 1

Could not compile build file 'E:\development\github\spring\spring-security\build.gradle'.
> startup failed:
  build file 'E:\development\github\spring\spring-security\build.gradle': 1: unable to resolve class io.spring.gradle.IncludeRepoTask
   @ line 1, column 1.
     import io.spring.gradle.IncludeRepoTask

This is how I am configuring it

settings,gradle

pluginManagement {
    repositories {
        gradlePluginPortal()
        maven { url 'https://repo.spring.io/release' }
        maven { url 'https://repo.spring.io/milestone' }
    }
}

plugins {
    id "com.gradle.enterprise" version "3.11.1"
    id "io.spring.ge.conventions" version "0.0.11"
}

dependencyResolutionManagement {
    repositories {
        mavenCentral()
    }
}

rootProject.name = "spring-authorization-server"

def buildFiles = fileTree(rootDir) {
    def excludes = gradle.startParameter.projectProperties.get("excludeProjects")?.split(",")
    include "**/*.gradle", "**/*.gradle.kts"
    exclude "build", "**/gradle", "settings.gradle", "buildSrc", "/build.gradle", ".*", "out"
    if (excludes) {
        exclude excludes
    }
}

buildFiles.forEach { buildFile ->
    def isDefaultName = buildFile.name == "build.gradle" || buildFile.name == "build.gradle.kts"
    def isKotlin = buildFile.name.endsWith ".kts"
    if (isDefaultName) {
        def buildFilePath = buildFile.parentFile.absolutePath
        def projectPath = buildFilePath.replace((String) rootDir.absolutePath, "").replace(File.separator, ":")
        include projectPath
    } else {
        def projectName
        if (isKotlin) {
            projectName = buildFile.name.replace(".gradle.kts", "")
        } else {
            projectName = buildFile.name.replace(".gradle", "")
        }

        def projectPath = ":$projectName"
        include projectPath

        def project = findProject(projectPath)
        project.name = projectName
        project.projectDir = buildFile.parentFile
        project.buildFileName = buildFile.name
    }
}

include ":spring-security-config"
project(":spring-security-config").projectDir = file("../spring-security")

samples-default-authorizationserver.gradle

plugins {
    id "org.springframework.boot" version "3.0.0-RC2"
    id "io.spring.dependency-management" version "1.0.11.RELEASE"
    id "java"
}

group = project.rootProject.group
version = project.rootProject.version
sourceCompatibility = "17"

repositories {
    mavenCentral()
    maven { url 'https://repo.spring.io/milestone' }
}

dependencies {
    implementation "org.springframework.boot:spring-boot-starter-web"
    implementation "org.springframework.boot:spring-boot-starter-security"
    implementation "org.springframework.boot:spring-boot-starter-jdbc"
    implementation project(":spring-security-oauth2-authorization-server")
    implementation project(":spring-security-config")
    runtimeOnly "com.h2database:h2"

    testImplementation "org.springframework.boot:spring-boot-starter-test"
    testImplementation "org.springframework.security:spring-security-test"
    testImplementation "org.junit.jupiter:junit-jupiter"
    testImplementation "net.sourceforge.htmlunit:htmlunit"
}

any examples of how to do this so that I can complete the development? Thanks in advance Nicholas

[jgrandja]

@darkedges Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

I am trying to develop an extension within spring authorisation server

Please log an issue describing the feature request so we can decide if the feature is needed.

It's always best to discuss the feature request (via the issue) in order to ensure no work is wasted on your end if the feature is not needed or is not a priority.

Please review the contributor guidelines for additional information.

[darkedges]

@jgrandja You mean like this https://stackoverflow.com/questions/74823257/how-to-extend-spring-security-config-and-spring-authorisation-server-in-eclipse

And this https://github.com/spring-projects/spring-authorization-server/issues/210

And this https://twitter.com/DarkEdges/status/1603674422812233728?t=wnc2MQMrHan0roZ-8waUww&s=19

I raised the bug as there is no documentation on how to develop these extensions that require integration with other spring projects.

My fork is at https://github.com/darkedges/spring-authorization-server/tree/feature/par and I am trying to get spring security config work done so that I can configure and test examples with the new extension.

Hope that explains as I am trying to help your team out and get Spring Authorisation Server ready for a big Australian initiative called ConnectID.

[jgrandja]

@darkedges

I am trying to get spring security config work done so that I can configure and test examples with the new extension

You will need to fork Spring Security and submit a PR to the project. There is no way that I am aware where you can edit the source for both Spring Security and Spring Authorization Server within the same IDE window. You will need to have both projects open in separate windows.

Also note that gh-210 is not a priority feature at the moment and won't be scheduled for 1.1. It does not have any upvotes.

Also as a reminder, please reach out before you start work on any new feature so the team can determine if it's a priority feature for next release.

[darkedges]

@jgrandja if you look at https://github.com/spring-projects/spring-authorization-server/issues/210 that is exactly what I did. I reached out and got no reply, hence why I wrote on StackOverflow and this request.

As for your priority, I have a need to have PAR in Spring Authorisation Server as FAPI 2.0 requires it, so I am trying to get an implementation done ASAP. Wether or not you accept my help is no concern of mine, I am just trying to get a head start on my requirements.

Your response is not helpful. Is this how developer of this project currently work? How do you link the 2 projects, as the core linkage seems to be through spring boot security starter which brings in spring boot security and finally spring boot security config.

So that I am clear I need to

• checkout and import into Intellij Spring boot security, and publish the latest snapshot
• checkout and import into Intellij Spring boot security starter and update it to use that latest Snapshot of Spring boot security and publish that snapshot.
• checkout and import into Intellij Spring boot authorisation server and configure it to use the latest snapshot of spring boot security starter

Seems a long and consulated process, but if it the case then I can produce a document saying how to develop the feature and get that added to the wiki or as a how to develop document in this project.

[jgrandja]

@darkedges

if you look at https://github.com/spring-projects/spring-authorization-server/issues/210 that is exactly what I did. I reached out and got no reply

Apologies for the lack of response. Just so you are aware, we have 2 dedicated (sometimes only me) resources on this project and there is a ton of work and many issues/comments being logged so sometimes it gets missed and at the same time it's difficult to be prompt with our responses. We ask if you can be patient as it would be appreciated.

Your response is not helpful. Is this how developer of this project currently work? How do you link the 2 projects, as the core linkage seems to be through spring boot security starter which brings in spring boot security and finally spring boot security config.

I'm sorry you feel this way but again we have limited resources on this project. And I believe I provided an answer in my previous comment...

There is no way that I am aware where you can edit the source for both Spring Security and Spring Authorization Server within the same IDE window. You will need to have both projects open in separate windows.

What you are trying to achieve I've never done before so I don't have an answer for you.

If I need to merge something in Spring Security then I'll work on my Spring Security fork and submit the PR. After it is merged, I will work on my Spring Authorization Server fork using Spring Security snapshot and integrate my new feature. NOTE: There is no need to work on Spring Boot code - only Spring Security and Spring Authorization Server.

I'm curious, what exactly are you trying to merge into Spring Security? We've provided many hooks in Spring Authorization Server so you might not need to add anything to Spring Security. Please provide some details here and I might be able to save you effort there.

[darkedges]

For example, when you configure the DefaultSecurity in

if https://github.com/spring-projects/spring-authorization-server/blob/main/samples/default-authorizationserver/src/main/java/sample/config/DefaultSecurityConfig.java#L40-L45 is change to

    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize ->
                authorize.anyRequest().authenticated()
            ).oauth2Login();
        return http.build();

it references https://github.com/spring-projects/spring-security/blob/6.0.x/config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java#L2523

    public OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws Exception {
        return getOrApply(new OAuth2LoginConfigurer<>());
    }

That configuration is within Spring Security Config. So if I wanted to add in the configuration for PAR Endpoint

                .pushedAuthorizationRequestEndpoint()
                    .baseUri(this.authorizationRequestBaseUri())
                    .pushedAuthorizationRequestRequestRepository(this.pushedAuthorizationRequestRequestRepository())

I need to modify code within the Spring Security project to make this work.

Unlike the code for AuthorizationServerConfig https://github.com/spring-projects/spring-authorization-server/blob/main/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java#L66-L67 which uses the getConfigurer method to get the class from the Spring Authorization Server project.

So when I do something like

        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .oidc(Customizer.withDefaults()) // Enable OpenID Connect 1.0
                .pushedAuthorizationRequestEndpoint(Customizer.withDefaults()); 

That works as the code is within the same project.

I am trying to avoid having to recompile / publish code, whilst supporting the framework.

Does that make sense?

[jgrandja]

@darkedges There is no need to modify code in Spring Security. You can build out support for OAuth 2.0 Pushed Authorization Requests without any modifications to Spring Security or Spring Authorization Server.

Take a look at this commit as a starting point. I've templated out the integration points for the authorization server and client side.

FYI, I'm off until the new year and won't be responding until I'm back in early Jan.

[darkedges]

@jgrandja thanks for the update. I see what you have done and I will check to see if I can make this work with the well-known/openid-configuration endpoint too as that needs to be extended too.

I have already extended that side of the fence in my branch and your option makes it optional to add the end point, which I was achieving by adding the same the same configurer class, and then checking to see if it has been set in the well known endpoint and adding it.

At some point we need to modify spring security config though? Let me understand that process for myself and get back to the group in the new year.

Thanks once again for your help, and have a merry Christmas and a happy new year.

[darkedges]

made a lot of progress, it needs a lot of work to get it working your way as not everything has the necessary hooks. https://github.com/spring-projects/spring-authorization-server/compare/main...darkedges:spring-authorization-server:feature/par?expand=1

[darkedges]

After a hiatus I am going to go back to the drawing board on this. Just wanted to know if there has been any more movement on this @jgrandja?