{"id":91727,"date":"2019-05-13T08:30:39","date_gmt":"2019-05-13T05:30:39","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=91727"},"modified":"2019-05-20T15:11:55","modified_gmt":"2019-05-20T12:11:55","slug":"spring-security-oauth-through-java-hipster","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2019\/05\/spring-security-oauth-through-java-hipster.html","title":{"rendered":"Upgrading Spring Security OAuth and JUnit Tests through the \ud83d\udc40 of a Java Hipster"},"content":{"rendered":"

\u201cI love writing authentication and authorization code.\u201d ~ No Java Developer Ever.<\/b> Tired of building the same login screens over and over? Try the Okta API for hosted authentication, authorization, and multi-factor auth.<\/a><\/span><\/p>\n

Using unit and integration tests to verify your code quality is an excellent way to show you care about your code. I recently did a bunch of work in the popular JHipster open source project to upgrade it to use the latest release of Spring Security.<\/p>\n

Spring Security 5.1+ adds OAuth 2.0 and OIDC as first-class citizens that you can configure with its elegant DSL (a.k.a. cool method chaining, a.k.a. the builder pattern). I\u2019ve been motivated to use it ever since Rob Winch and crew first launched it. It\u2019s been fun collaborating with them on a very innovative project. Spring Security makes OAuth awesome!<\/p>\n

I added OAuth 2.0 support to JHipster in the fall of 2017. The experience influenced me greatly. I learned a ton about Keycloak, Docker Compose, and how to switch between identity providers (IdPs).<\/p>\n

I spent the last month upgrading JHipster<\/a> to use Spring Security 5.1 (the default in Spring Boot 2.1). I experienced some frustrations along the way, shook my fist at Travis CI, and rejoiced when I figured out solutions. I also learned quite a bit in the process. I\u2019m going to share those experiences with you today.<\/p>\n

Logout with OAuth 2.0 and OIDC<\/h2>\n

Soon after integrating support for Keycloak and Okta in JHipster, the project received a lot of complaints from users that they couldn\u2019t log out. JHipster users were familiar with clicking Logout<\/strong> (check with latest) and being completely<\/em> logged out. With the default Spring Security support, users would be logged out of the local app, but not the IdP.<\/p>\n

It took me a year, but I finally added global SSO logout<\/a> earlier this year. Both Keycloak and Okta require you to send a GET request to an endpoint with the ID token and the URL to redirect to. Therefore, I created a LogoutResource<\/code> that returns these values.<\/p>\n

@RestController\npublic class LogoutResource {\n    private final Logger log = LoggerFactory.getLogger(LogoutResource.class);\n    private final UserInfoRestTemplateFactory templateFactory;\n    private final String accessTokenUri;\n\n   public LogoutResource(UserInfoRestTemplateFactory templateFactory,\n                         @Value(\"${security.oauth2.client.access-token-uri}\") String accessTokenUri) {\n       this.templateFactory = templateFactory;\n       this.accessTokenUri = accessTokenUri;\n   }\n\n    \/**\n     * POST  \/api\/logout : logout the current user\n     *\n     * @return the ResponseEntity with status 200 (OK) and a body with a global logout URL and ID token\n     *\/\n    @PostMapping(\"\/api\/logout\")\n    public ResponseEntity<?> logout(HttpServletRequest request, Authentication authentication) {\n        log.debug(\"REST request to logout User : {}\", authentication);\n        OAuth2RestTemplate oauth2RestTemplate = this.templateFactory.getUserInfoRestTemplate();\n        String idToken = (String) oauth2RestTemplate.getAccessToken().getAdditionalInformation().get(\"id_token\");\n\n        String logoutUrl = accessTokenUri.replace(\"token\", \"logout\");\n        Map<String, String> logoutDetails = new HashMap<>();\n        logoutDetails.put(\"logoutUrl\", logoutUrl);\n        logoutDetails.put(\"idToken\", idToken);\n        request.getSession().invalidate();\n        return ResponseEntity.ok().body(logoutDetails);\n    }\n}\n<\/pre>\n
The Angular client calls the \/api\/logout<\/code> endpoint and constructs the IdP logout URL.<\/p>\n
this.authServerProvider.logout().subscribe(response => {\n  const data = response.body;\n  let logoutUrl = data.logoutUrl;\n  \/\/ if Keycloak, uri has protocol\/openid-connect\/token\n  if (logoutUrl.indexOf('\/protocol') > -1) {\n    logoutUrl = logoutUrl + '?redirect_uri=' + window.location.origin;\n  } else {\n    \/\/ Okta\n    logoutUrl = logoutUrl + '?id_token_hint=' +\n    data.idToken + '&post_logout_redirect_uri=' + window.location.origin;\n  }\n  window.location.href = logoutUrl;\n});\n<\/pre>\n
Testing the LogoutResource<\/code> was pretty straightforward. The bulk of the work involved mocking the UserInfoRestTemplateFactory<\/code> so it returned an ID token.<\/p>\n
@RunWith(SpringRunner.class)\n@SpringBootTest(classes = JhipsterApp.class)\npublic class LogoutResourceIntTest {\n\n    @Autowired\n    private MappingJackson2HttpMessageConverter jacksonMessageConverter;\n\n    private final static String ID_TOKEN = \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9\" +\n        \".eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsIm\" +\n        \"p0aSI6ImQzNWRmMTRkLTA5ZjYtNDhmZi04YTkzLTdjNmYwMzM5MzE1OSIsImlhdCI6MTU0M\" +\n        \"Tk3MTU4MywiZXhwIjoxNTQxOTc1MTgzfQ.QaQOarmV8xEUYV7yvWzX3cUE_4W1luMcWCwpr\" +\n        \"oqqUrg\";\n\n    @Value(\"${security.oauth2.client.access-token-uri}\")\n    private String accessTokenUri;\n\n    private MockMvc restLogoutMockMvc;\n\n    @Before\n    public void before() {\n        LogoutResource logoutResource = new LogoutResource(restTemplateFactory(), accessTokenUri);\n        this.restLogoutMockMvc = MockMvcBuilders.standaloneSetup(logoutResource)\n            .setMessageConverters(jacksonMessageConverter).build();\n    }\n\n    @Test\n    public void getLogoutInformation() throws Exception {\n        String logoutUrl = accessTokenUri.replace(\"token\", \"logout\");\n        restLogoutMockMvc.perform(post(\"\/api\/logout\"))\n            .andExpect(status().isOk())\n            .andExpect(content().contentType(MediaType.APPLICATION_JSON_UTF8_VALUE))\n            .andExpect(jsonPath(\"$.logoutUrl\").value(logoutUrl))\n            .andExpect(jsonPath(\"$.idToken\").value(ID_TOKEN));\n    }\n\n    private UserInfoRestTemplateFactory restTemplateFactory() {\n        UserInfoRestTemplateFactory factory = mock(UserInfoRestTemplateFactory.class);\n        Map<String, Object> idToken = new HashMap<>();\n        idToken.put(\"id_token\", ID_TOKEN);\n        DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(\"my-fun-token\");\n        token.setAdditionalInformation(idToken);\n        when(factory.getUserInfoRestTemplate()).thenReturn(mock(OAuth2RestTemplate.class));\n        when(factory.getUserInfoRestTemplate().getAccessToken()).thenReturn(token);\n        return factory;\n    }\n}<\/pre>\n
I merged global logout support into JHipster\u2019s master branch in late January, and started upgrading Spring Security\u2019s OIDC support a few weeks later.<\/p>\n
Upgrade Spring Security\u2019s OIDC Support
I started by creating issue #9276 to track my goals, motivations, and known issues.<\/p>\n
At this point, if you\u2019re not intimately familiar with Spring Security, you\u2019re probably wondering: why is upgrading to Spring Security\u2019s latest release so cool? Long story short: they\u2019ve deprecated annotations, added features, and have made it easier to integrate OAuth 2.0 and OIDC into your applications. Thanks, Spring Security team!<\/p>\n
\n
Using @EnableOAuth2Sso and @EnableResourceServer is no longer recommended in Spring Boot 2.1+ (a.k.a., Spring Security 5.1+). The reasons for the change can be found in Josh Long\u2019s Bootiful Podcast, published on Jan 25, 2019. It\u2019s an interview with Madhura Bhave and the discussion starts at 21:30.<\/p>\n<\/blockquote>\n
In addition to converting all the Java code and YAML configuration to use the latest Spring Security bits, I also decided to make every JHipster app a resource server by default. Here\u2019s the logic from JHipster\u2019s SecurityConfiguration.java.ejs template:<\/p>\n
@Override\npublic void configure(HttpSecurity http) throws Exception {\n    \/\/ @formatter:off\n    http\n        ...\n        <%_ } else if (authenticationType === 'oauth2') { _%>\n            <%_ if (['monolith', 'gateway'].includes(applicationType)) { _%>\n        .and()\n            .oauth2Login()\n            <%_ } _%>\n        .and()\n            .oauth2ResourceServer().jwt();\n        <%_ } _%>\n        \/\/ @formatter:on\n  }\n}<\/pre>\n
To make sure the implementation was OIDC compliant, I overrode the default JwtDecoder<\/code> bean with one that does audience validation.<\/p>\n
@Value(\"${spring.security.oauth2.client.provider.oidc.issuer-uri}\")\nprivate String issuerUri;\n\n@Bean\nJwtDecoder jwtDecoder() {\n    NimbusJwtDecoderJwkSupport jwtDecoder = (NimbusJwtDecoderJwkSupport)\n        JwtDecoders.fromOidcIssuerLocation(issuerUri);\n\n    OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator();\n    OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuerUri);\n    OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);\n\n    jwtDecoder.setJwtValidator(withAudience);\n\n    return jwtDecoder;\n}<\/pre>\n
After I had all the runtime code working, I moved onto refactoring tests. Tests are the most reliable indicator of refactoring success, especially with a project that has 26,000<\/a> combinations like JHipster does!<\/p>\n
I encountered a number of challenges along the way. Since I learned a lot solving these challenges, I thought it\u2019d be fun to explain them and how I solved them.<\/p>\n
How to Mock an AuthenticatedPrincipal with an ID Token<\/h2>\n
The first challenge I encountered was with the updated LogoutResource<\/code>. Below is the code after I refactored it to use Spring Security\u2019s ClientRegistrationRepository<\/code>.<\/p>\n
@RestController\npublic class LogoutResource {\n    private ClientRegistration registration;\n\n    public LogoutResource(ClientRegistrationRepository registrations) {\n        this.registration = registrations.findByRegistrationId(\"oidc\");\n    }\n\n    \/**\n     * {@code POST  \/api\/logout} : logout the current user.\n     *\n     * @param request the {@link HttpServletRequest}.\n     * @param idToken the ID token.\n     * @return the {@link ResponseEntity} with status {@code 200 (OK)} and a body with a global logout URL and ID token.\n     *\/\n    @PostMapping(\"\/api\/logout\")\n    public ResponseEntity<?> logout(HttpServletRequest request,\n                                    @AuthenticationPrincipal(expression = \"idToken\") OidcIdToken idToken) {\n        String logoutUrl = this.registration.getProviderDetails()\n            .getConfigurationMetadata().get(\"end_session_endpoint\").toString();\n\n        Map<String, String> logoutDetails = new HashMap<>();\n        logoutDetails.put(\"logoutUrl\", logoutUrl);\n        logoutDetails.put(\"idToken\", idToken.getTokenValue());\n        request.getSession().invalidate();\n        return ResponseEntity.ok().body(logoutDetails);\n    }\n}<\/pre>\n
I tried to mock out the OAuth2AuthenticationToken<\/code> in LogoutResourceIT.java<\/code>, thinking this would lead to the AuthenticationPrincipal<\/code> being populated.<\/p>\n
@RunWith(SpringRunner.class)\n@SpringBootTest(classes = JhipsterApp.class)\npublic class LogoutResourceIT {\n\n    @Autowired\n    private ClientRegistrationRepository registrations;\n\n    @Autowired\n    private MappingJackson2HttpMessageConverter jacksonMessageConverter;\n\n    private final static String ID_TOKEN = \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9\" +\n        \".eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsIm\" +\n        \"p0aSI6ImQzNWRmMTRkLTA5ZjYtNDhmZi04YTkzLTdjNmYwMzM5MzE1OSIsImlhdCI6MTU0M\" +\n        \"Tk3MTU4MywiZXhwIjoxNTQxOTc1MTgzfQ.QaQOarmV8xEUYV7yvWzX3cUE_4W1luMcWCwpr\" +\n        \"oqqUrg\";\n\n    private MockMvc restLogoutMockMvc;\n\n    @Before\n    public void before() {\n        LogoutResource logoutResource = new LogoutResource(registrations);\n        this.restLogoutMockMvc = MockMvcBuilders.standaloneSetup(logoutResource)\n            .setMessageConverters(jacksonMessageConverter).build();\n    }\n\n    @Test\n    public void getLogoutInformation() throws Exception {\n\n        Map<String, Object> claims = new HashMap<>();\n        claims.put(\"groups\", \"ROLE_USER\");\n        claims.put(\"sub\", 123);\n        OidcIdToken idToken = new OidcIdToken(ID_TOKEN, Instant.now(),\n            Instant.now().plusSeconds(60), claims);\n\n        String logoutUrl = this.registrations.findByRegistrationId(\"oidc\").getProviderDetails()\n            .getConfigurationMetadata().get(\"end_session_endpoint\").toString();\n        restLogoutMockMvc.perform(post(\"\/api\/logout\")\n            .with(authentication(createMockOAuth2AuthenticationToken(idToken))))\n            .andExpect(status().isOk())\n            .andExpect(content().contentType(MediaType.APPLICATION_JSON_UTF8_VALUE))\n            .andExpect(jsonPath(\"$.logoutUrl\").value(logoutUrl));\n    }\n\n    private OAuth2AuthenticationToken createMockOAuth2AuthenticationToken(OidcIdToken idToken) {\n        Collection<GrantedAuthority> authorities = new ArrayList<>();\n        authorities.add(new SimpleGrantedAuthority(AuthoritiesConstants.USER));\n        OidcUser user = new DefaultOidcUser(authorities, idToken);\n\n        return new OAuth2AuthenticationToken(user, authorities, \"oidc\");\n    }\n}<\/pre>\n
However, this resulted in the following error:
 
<\/div> <\/div><\/p>\n
Caused by: java.lang.IllegalArgumentException: tokenValue cannot be empty\n    at org.springframework.util.Assert.hasText(Assert.java:284)\n    at org.springframework.security.oauth2.core.AbstractOAuth2Token.<init>(AbstractOAuth2Token.java:55)\n    at org.springframework.security.oauth2.core.oidc.OidcIdToken.<init>(OidcIdToken.java:53)\n    at java.base\/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)\n    at java.base\/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)\n    at java.base\/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n    at java.base\/java.lang.reflect.Constructor.newInstance(Constructor.java:490)\n    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:172)<\/pre>\n
posted this problem to Stack Overflow<\/a> and sent an email to the Spring Security team as well. Joe Grandja<\/a> responded with a solution to the problem.<\/p>\n
\n
The AuthenticationPrincipalArgumentResolver<\/code> is not getting registered in your test.
It automatically gets registered when the “full” spring-web-mvc is enabled, e.g @EnableWebMvc<\/code>.<\/p>\n
However, in your @Before<\/code>, you have:<\/p>\n
MockMvcBuilders.standaloneSetup()<\/code> – this does not initialize the full web-mvc infrastructure – only a subset.<\/p>\n
Try this instead:
MockMvcBuilders.webAppContextSetup(this.context)<\/code> – this will register AuthenticationPrincipalArgumentResolver<\/code> and your test should resolve the OidcIdToken<\/code>.<\/p>\n<\/blockquote>\n
Joe was correct. I changed the test to the following and the test passed. \u2705<\/p>\n
@RunWith(SpringRunner.class)\n@SpringBootTest(classes = JhipsterApp.class)\npublic class LogoutResourceIT {\n\n    @Autowired\n    private ClientRegistrationRepository registrations;\n\n    @Autowired\n    private WebApplicationContext context;\n\n    private final static String ID_TOKEN = \"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9\" +\n        \".eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsIm\" +\n        \"p0aSI6ImQzNWRmMTRkLTA5ZjYtNDhmZi04YTkzLTdjNmYwMzM5MzE1OSIsImlhdCI6MTU0M\" +\n        \"Tk3MTU4MywiZXhwIjoxNTQxOTc1MTgzfQ.QaQOarmV8xEUYV7yvWzX3cUE_4W1luMcWCwpr\" +\n        \"oqqUrg\";\n\n    private MockMvc restLogoutMockMvc;\n\n    @Before\n    public void before() throws Exception {\n        Map<String, Object> claims = new HashMap<>();\n        claims.put(\"groups\", \"ROLE_USER\");\n        claims.put(\"sub\", 123);\n        OidcIdToken idToken = new OidcIdToken(ID_TOKEN, Instant.now(),\n            Instant.now().plusSeconds(60), claims);\n        SecurityContextHolder.getContext().setAuthentication(authenticationToken(idToken));\n        SecurityContextHolderAwareRequestFilter authInjector = new SecurityContextHolderAwareRequestFilter();\n        authInjector.afterPropertiesSet();\n\n        this.restLogoutMockMvc = MockMvcBuilders.webAppContextSetup(this.context).build();\n    }\n\n    @Test\n    public void getLogoutInformation() throws Exception {\n        String logoutUrl = this.registrations.findByRegistrationId(\"oidc\").getProviderDetails()\n            .getConfigurationMetadata().get(\"end_session_endpoint\").toString();\n        restLogoutMockMvc.perform(post(\"\/api\/logout\"))\n            .andExpect(status().isOk())\n            .andExpect(content().contentType(MediaType.APPLICATION_JSON_UTF8_VALUE))\n            .andExpect(jsonPath(\"$.logoutUrl\").value(logoutUrl))\n            .andExpect(jsonPath(\"$.idToken\").value(ID_TOKEN));\n    }\n\n    private OAuth2AuthenticationToken authenticationToken(OidcIdToken idToken) {\n        Collection<GrantedAuthority> authorities = new ArrayList<>();\n        authorities.add(new SimpleGrantedAuthority(AuthoritiesConstants.USER));\n        OidcUser user = new DefaultOidcUser(authorities, idToken);\n        return new OAuth2AuthenticationToken(user, authorities, \"oidc\");\n    }\n}\n<\/pre>\n
Getting the logout functionality properly tested was a big milestone. I moved on to upgrading JHipster\u2019s microservices architecture.<\/p>\n
How to Pass an OAuth 2.0 Access Token to Downstream Microservices with Zuul<\/h2>\n
JHipster uses Netflix Zuul to proxy requests from the gateway to downstream microservices. I created an AuthorizationHeaderFilter<\/code> to handle access token propagation.<\/p>\n
public class AuthorizationHeaderFilter extends ZuulFilter {\n\n    private final AuthorizationHeaderUtil headerUtil;\n\n    public AuthorizationHeaderFilter(AuthorizationHeaderUtil headerUtil) {\n        this.headerUtil = headerUtil;\n    }\n\n    @Override\n    public String filterType() {\n        return PRE_TYPE;\n    }\n\n    @Override\n    public int filterOrder() {\n        return Ordered.LOWEST_PRECEDENCE;\n    }\n\n    @Override\n    public boolean shouldFilter() {\n        return true;\n    }\n\n    @Override\n    public Object run() {\n        RequestContext ctx = RequestContext.getCurrentContext();\n        Optional<String> authorizationHeader = headerUtil.getAuthorizationHeader();\n        authorizationHeader.ifPresent(s -> ctx.addZuulRequestHeader(TokenRelayRequestInterceptor.AUTHORIZATION, s));\n        return null;\n    }\n}<\/pre>\n
However, adding this did not result in successful access token propagation. With help from Jon Ruddell<\/a>, I discovered this was because JHipster had a LazyInitBeanFactoryPostProcessor<\/code> that caused all beans to be lazy-loaded. The ZuulFilterInitializer<\/code> was included in this logic. Making ZuulFilterInitializer<\/code> an eagerly-loaded bean caused everything to work as it did before.<\/p>\n
At this point, I had everything working, so I created a pull request to upgrade JHipster\u2019s templates<\/a>.<\/p>\n
I knew that what I checked in required Keycloak to be running for integration tests to pass. This is because of OIDC discovery and how the endpoints are looked up from .well-known\/openid-configuration<\/code>.<\/p>\n
How to Handle OIDC Discovery in Spring Boot Integration Tests<\/h2>\n
I wasn\u2019t too concerned that Keycloak needed to be running for integration tests to pass. Then some of our Azure and Travis builds started to fail. JHipster developers noted they were seeing errors like the following when Keycloak wasn\u2019t running.<\/p>\n
Factory method 'clientRegistrationRepository' threw exception; nested exception is\njava.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration\nwith the provided Issuer of \"http:\/\/localhost:9080\/auth\/realms\/jhipster\"<\/pre>\n
I did some spelunking through Spring Security\u2019s OAuth and OIDC tests and came up with a solution<\/a>. The fix involved adding a TestSecurityConfiguration<\/code> class that overrides the default Spring Security settings and mocks the beans so OIDC discovery doesn\u2019t happen.<\/p>\n
@TestConfiguration\npublic class TestSecurityConfiguration {\n    private final ClientRegistration clientRegistration;\n\n    public TestSecurityConfiguration() {\n        this.clientRegistration = clientRegistration().build();\n    }\n\n    @Bean\n    ClientRegistrationRepository clientRegistrationRepository() {\n        return new InMemoryClientRegistrationRepository(clientRegistration);\n    }\n\n    private ClientRegistration.Builder clientRegistration() {\n        Map<String, Object> metadata = new HashMap<>();\n        metadata.put(\"end_session_endpoint\", \"https:\/\/jhipster.org\/logout\");\n\n        return ClientRegistration.withRegistrationId(\"oidc\")\n            .redirectUriTemplate(\"{baseUrl}\/{action}\/oauth2\/code\/{registrationId}\")\n            .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)\n            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)\n            .scope(\"read:user\")\n            .authorizationUri(\"https:\/\/jhipster.org\/login\/oauth\/authorize\")\n            .tokenUri(\"https:\/\/jhipster.org\/login\/oauth\/access_token\")\n            .jwkSetUri(\"https:\/\/jhipster.org\/oauth\/jwk\")\n            .userInfoUri(\"https:\/\/api.jhipster.org\/user\")\n            .providerConfigurationMetadata(metadata)\n            .userNameAttributeName(\"id\")\n            .clientName(\"Client Name\")\n            .clientId(\"client-id\")\n            .clientSecret(\"client-secret\");\n    }\n\n    @Bean\n    JwtDecoder jwtDecoder() {\n        return mock(JwtDecoder.class);\n    }\n\n    @Bean\n    public OAuth2AuthorizedClientService authorizedClientService(ClientRegistrationRepository clientRegistrationRepository) {\n        return new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository);\n    }\n\n    @Bean\n    public OAuth2AuthorizedClientRepository authorizedClientRepository(OAuth2AuthorizedClientService authorizedClientService) {\n        return new AuthenticatedPrincipalOAuth2AuthorizedClientRepository(authorizedClientService);\n    }\n}<\/pre>\n
Then in classes that use @SpringBootTest<\/code>, I configured this as a configuration source.<\/p>\n
@SpringBootTest(classes = {MicroApp.class, TestSecurityConfiguration.class})<\/pre>\n
Running End-to-End Tests on JHipster Microservices that are Secured with OAuth 2.0<\/h2>\n
The final issue surfaced shortly after. The jhipster-daily-builds<\/a> (running on Azure DevOps) were failing when they tried to test microservices.<\/p>\n
Caused by: java.lang.IllegalArgumentException: Unable to resolve the OpenID Configuration\n with the provided Issuer of \"http:\/\/localhost:9080\/auth\/realms\/jhipster\"<\/pre>\n
We don\u2019t include Keycloak Docker Compose files for microservices because we don\u2019t expect them to be run standalone. They require a gateway to access them, so their OAuth 2.0 settings should match your gateway and the gateway project contains the Keycloak files.<\/p>\n
The end-to-end tests that were running on Azure where 1) starting the microservice, and 2) hitting its health endpoint to ensure it started successfully. To fix, Pascal Grimaud<\/a> disabled starting\/testing microservices<\/a>. He also created a new issue<\/a> to improve the process so a full microservices stack is generated using JHipster\u2019s JDL.<\/p>\n
Upgrade to Spring Security 5.1 and its First-Class OIDC Support<\/h2>\n
I hope this list of challenges and fixes has helped you. If you\u2019re using the deprecated @EnableOAuth2Sso<\/code> or @EnableResourceServer<\/code>, I encourage you to try upgrading to Spring Security 5.1. The issue I used to track the upgrade<\/a> has links that show all the required code changes.<\/p>\n