/spring-addons

Ease spring OAuth2 resource-servers configuration and testing

Primary LanguageJavaApache License 2.0Apache-2.0

Ease OAuth2 / OpenID Configuration & Tests in Spring Boot 3

Useful links

Breaking News

In 7.7.0, some @ConfigurationProperties were changed to inner-class definition (instead of standing in a source file of their own). Migration should be no more complicated than organizing imports.

The OAuth2 BFF tutorial is now on Baeldung. It was deeply refreshed in the process and now contains samples for Angular, React (Next.js) and Vue (Vite).

With spring-addons-starter-oidc, you might need 0 Java conf, even in scenarios like:

  • accepting tokens issued by several trussted authorization servers
  • mapping authorities from a variety of claims
  • needing custom OAuth2 redirection URI or HTTP status
  • having per environment CORS configuration (not allowing the same origins in staging and prod for instance)
  • exposing CSRF token as a cookie accessible to a single-page application
  • logging out from an authorization server not strictly implementing RP-Initiated Logout (case of Auth0 and Amazon Cognito for instance)
  • adding extra parameters to authorization or token requests (like the audience required by Auth0)

Unit & Integration Testing With Security

Testing access control requires to configure the test security context. For that, spring-security-test provides with MockMvc request post-processors and WebTestClient mutators, but this can work only in the context of a request, which limits its usage to controllers.

To test any type of @Component (@Controller, off course, but also @Service and @Repository) there are only two options:

  • build tests security context by yourself and populate it with stubbed / mocked authentications
  • use annotations to do it for you (this is where spring-addons-oauth2-test jumps in)

Useful resources: