OAuth2 should be easier to set up without a servlet context

See original GitHub issue

Context

Right now I’m spending a lot of time futzing around trying to figure out how to use spring-cloud-openfeign with the modern spring security oauth 2 because they haven’t implemented it yet. It occurs to me while working with this, that there is no reason a client_credentials workflow needs to have a servlet container. you could easily be running a non http daemon or a command line app or a number of other things, that arguably shouldn’t even require a spring security context. In this case I don’t feel like -web should be “needed” to get a quick client up and tested inside of my feign RequestInterceptor, and for testing it. I get that there’s probably a very manual way to do this (that I have yet to figure out from the documentation) but it feels like it should be as simple as configure client in spring boot, get client, grab token, refresh as necessary by just asking for the token.

org.springframework.boot:spring-boot-starter-oauth2-client:2.7.3
org.springframework.security:spring-security-oauth2-client:5.7.3
org.springframework.security:spring-security-oauth2-core:5.7.3
org.springframework.security:spring-security-oauth2-jose:5.7.3

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
jzheauxcommented, Sep 26, 2022

I wonder if the documentation could benefit from a header above the paragraph that @jgrandja highlighted, for example:

Authorizing clients outside of a servlet context

The DefaultOAuth2AuthorizedClientManager is designed to be used within the context of a HttpServletRequest. When operating outside of a HttpServletRequest context…

I think the docs in general should move more towards being use-case driven, but a header like the above may help folks find what they need a little easier in the meantime.

0reactions
xenoterracidecommented, Sep 27, 2022

You know what would also help? https://docs.spring.io/spring-security/reference/servlet/index.html if client credentials (which is machine accessible, for all kinds of not servlet code) was not buried under servlet. There should be another section for it.

Read more comments on GitHub >

github_iconTop Results From Across the Web

OAuth2: Setting servlet context path doesn't change ... - GitHub
Now I add a servlet context path to the configuration, because the application will run from https://host.example.com/example in stead of just ...
Read more >
Why you probably don't need OAuth2 / OpenID Connect! - Ory
As such we often see OAuth 2 and OIDC used in the wrong context. This doesn't happen because people make mistakes or don't...
Read more >
Simple Single Sign-On with Spring Security OAuth2 - Baeldung
A simple SSO implementation using Spring Security 5 and Boot.
Read more >
Spring Security 5 Calling OAuth2 Secured API in Application ...
The "servletRequest cannot be null" was seems to be a result from not being in a Servlet Context. Using WebClient inside Controller or ......
Read more >
A Quick Guide to OAuth 2.0 with Spring Security
Learn how to build an OAuth 2.0 Authorization Server with Spring Boot ... This sets the server port, servlet context path, and some...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found