search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.85k stars 5.91k forks source link

Allow ClientRegistrations HTTP Client (RestTemplate) to be configurable #15935

Closed mluckam closed 1 month ago

mluckam commented 1 month ago

Expected Behavior

ClientRegistrations RestTemplate is configurable.

Current Behavior

ClientRegistrations RestTemplate is not configurable, see code

Context

Currently the ClientRegistrations RestTemplate does not allow customization. As of July 2020 this was the agreed upon design (https://github.com/spring-projects/spring-security/issues/8882#user-content-client-registrations).

My use case is to utilize a custom key store and trust store for the oauth2 client to communicate with the authentication server. In order for the oauth2 client to utilize a custom key store and trust store the jvm defaults must be updated.

-Djavax.net.ssl.trustStore=XXXX
-Djavax.net.ssl.trustStorePassword=XXXX
-Djavax.net.ssl.keyStore=XXXX
-Djavax.net.ssl.keyStoreAlias=XXXX
-Djavax.net.ssl.keyStorePassword=XXXX

This seems to be overkill, requiring an update to the jvm defaults in order to update the oauth2 client configuration. Given that the RestTemplate is highly configurable, why not expose the RestTemplate for configuration? A configuration could look like below:

  1. SSL Bundles. 
    spring.security.oauth2.client.registration.[registrationId].ssl.bundle
  2. SSL configuration 
    spring.security.oauth2.client.registration.[registrationId].ssl.keystorePath
spring.security.oauth2.client.registration.[registrationId].ssl.keystorePassword
spring.security.oauth2.client.registration.[registrationId].ssl.keyStoreAlias
spring.security.oauth2.client.registration.[registrationId].ssl.trustStorePath
spring.security.oauth2.client.registration.[registrationId].ssl.trustStorePassword

Exposing configuration would allow for tighter control of what configurations are allowed on the RestTemplate. Alternatively the ClientRegistrations RestTemplate could utlize the RestTemplateBuilder as proposed here (https://github.com/spring-projects/spring-security/issues/7027#issuecomment-504049530) and be fully configurable.

jzheaux commented 1 month ago

Duplicate of https://github.com/spring-projects/spring-security/pull/15716 which was just recently merged. Please give 6.4.0-RC1 a try and see if it meets your needs.

mluckam commented 1 month ago

@jzheaux it does not appear the suggested change provides a way in which to update the configuration of the ClientHttpRequestFactory of the RestTemplate of the ClientRegistrations. The ClientHttpRequestFactory allows loading of key material and trust material into the RestTemplate (https://www.baeldung.com/spring-resttemplate-secure-https-service#2-configuring-the-resttemplatefor-https-access). Do you have further insight into how the suggested change can achieve this goal?

jzheaux commented 4 weeks ago

Hi, @mluckam, thanks for reaching out.

You are correct that it doesn't expose the RestOperations instance or make it configurable. What the added method does is allow you to query your own RestOperations and send ClientRegistrations the result. For more details, you can take a look at the discussion in #14633 from this point onward.