Skip to content

release-notes.md

Latest commit

 

History

History
968 lines (779 loc) · 57.8 KB

release-notes.md

File metadata and controls

968 lines (779 loc) · 57.8 KB

Release Notes

9.x

For Spring Boot 4

9.1.3

  • Transient dependencies defined by Boot 4.0.6

9.1.2

  • gh-294 Customize CSRF header name
  • Transient dependencies defined by Boot 4.0.5

9.1.1

  • [gh-291] Ease the configuration of the RestTemplate instance used during OpenID configuration & JWK-set retrieval:
@Bean
DefaultSpringAddonsJwtDecoderFactory springAddonsJwtDecoderFactory() {
  var restOperations = new RestTemplate();
  // further configuration of the RestTemplate to use during OpenID connect configuration
  // retrieval: timeouts, SSL bundles, HTTP proxy, ...
  return new DefaultSpringAddonsJwtDecoderFactory(restOperations);
}
  • Transient dependencies defined by Boot 4.0.3

9.0.5-M1

  • gh-284 Configurable Back-Channel LogoutHandler bean

9.0.4-M1

  • enable overriding the default HTTP status of OAuth2 client responses with response_http_status request parameter (in addition to X-RESPONSE-STATUS header). This enables to ask a specific status for instance when setting the location of a browser tab, or the action of a <form> tag.

9.0.3-M1

  • Apply isSecure (https instead of http) and csrf to MockMvcSupport when using .get(...), .post(...), etc.

9.0.2-M1

  • Add SSL bundle auto-configuration for RestClient and WebClient. See the manual for details.

9.0.0-M1

  • gh-281 Compatibility with Spring Boot 4

8.x

For Spring Boot 3

8.1.25

  • Transient dependencies defined by Boot 3.5.11
  • [gh-291] Ease the configuration of the RestTemplate instance used during OpenID configuration & JWK-set retrieval:
@Bean
DefaultSpringAddonsJwtDecoderFactory springAddonsJwtDecoderFactory() {
  var restOperations = new RestTemplate();
  // further configuration of the RestTemplate to use during OpenID connect configuration
  // retrieval: timeouts, SSL bundles, HTTP proxy, ...
  return new DefaultSpringAddonsJwtDecoderFactory(restOperations);
}

8.1.24

  • gh-286 Extended CSRF cookie customization via a new Cookie[Server]CsrfTokenRepositoryPostProcessor interface for an optional bean. Sample usage:
@Bean
CookieCsrfTokenRepositoryPostProcessor csrfCookiePostProcessor() {
  return csrfCookieRepo -> {
    csrfCookieRepo.setCookieCustomizer(csrfCookie -> csrfCookie.sameSite("Strict"));
    return csrfCookieRepo;
  };
}

8.1.23

  • gh-284 Configurable Back-Channel LogoutHandler bean
  • Boot 3.5.5 as transient dependency

8.1.22

  • enable overriding the default HTTP status of OAuth2 client responses with response_http_status request parameter (in addition to X-RESPONSE-STATUS header). This enables to ask a specific status for instance when setting the location of a browser tab, or the action of a <form> tag.

8.1.21

  • Apply isSecure (https instead of http) and csrf to MockMvcSupport when using .get(...), .post(...), etc.

8.1.20

  • Add SSL bundle auto-configuration for RestClient and WebClient. See the manual for details.
  • Transitive dependencies manage by Spring Boot 3.5.4

8.1.18

  • Transitive dependencies manage by Spring Boot 3.5.3 (after the regression on application properties in 3.5.1 & 3.5.2)

8.1.16

  • gh-276 Some authorization servers allow the definition of roles containing spaces or even commas. ConfigurableJwtGrantedAuthoritiesConverter now splits on (space) or , only String claims (and not the values of List<String> claims any more).

8.1.15

  • gh-271 RestClient & WebClient auto-configured by spring-addons-starter-rest now scope tokens issued with client credentials to the application (Spring Security's default is user, which is a waste of resources and a source of latency).

8.1.14

  • gh-273: Use servlet.context-path or webflux.base-path when building default OAuth2 URIs. Starting from Spring Boot 3.5.0, the OAuth2 URIs are relative by default, which solves compatibility issues with reverse proxies. Only the post-logout URI should contain an authority as it is provided to the authorization server so that it redirects back to the UI after RP-Initiated Logout (⚠️ when removing the client-uri property or when setting it with a relative URI, set the post-login-redirect-host with a URI containing an authority). The URIs built by spring-addons are now using the 1st provided value in the following order:
    • spring-addons-starter-oidc's client-uri property
    • Spring Boot Web's server.servlet.context-path or server.webflux.base-path depending on the application type
    • /
  • Spring Boot 3.5.0 to manage default transitive dependencies (designed to work with Spring Cloud 2025.0.0)

8.1.13

  • gh-267 Prevent Open Redirect (CWE-601) attacks. The post login/logout URIs must now be part of whitelists defined with post-login-allowed-uri-patterns and post-logout-allowed-uri-patterns properties. For backward compatibility, if these properties are left blank, all post login/logout URIs composed of only a path (no scheme / authority) as well as those with the same scheme and authority as the client-uri property are allowed.

Sample configuration stricter than defaults:

reverse-proxy: https://localhost

com:
  c4-soft:
    springaddons:
      oidc:
        client:
          client-uri: ${reverse-proxy}/bff
          post-login-allowed-uri-patterns:
          # Each entry is compiled into a java.util.regex.Pattern
          # The following is stricter than the defaults, which are ^${reverse-proxy}(/.*)?$ and ^/.*$
          - ^${reverse-proxy}/ui(/.*)?$
          - ^/ui(/.*)?$
          post-login-redirect-path: /ui/greet
          post-logout-allowed-uri-patterns:
          - ^${reverse-proxy}/ui(/.*)?$
          - ^/ui(/.*)?$
          post-logout-redirect-path: /ui/

Each post-login-allowed-uri-patterns/post-logout-allowed-uri-patterns entry is compiled into a java.util.regex.Pattern.

post-login-redirect-host, post-login-redirect-path, post-logout-redirect-host, and post-logout-redirect-path are validated at startup. An exception is thrown in case of mismatch.

In case of mismatch of post login/logout headers & request params, the authentication request is answered with a 401.

8.1.12

  • Configurable CSRF cookie name and path to solve collisions in case of multiple applications served from the same host. Using a custom cookie name is usually enough and easier as browsers' security will require the cookie path to be a prefix (for instance /foo) shared by:
    • the UI assets, for the CSRF token value to be accessible from the SPA Javascript (for instance /foo/ui/**)
    • the backend secured with oauth2Login, for the cookie to be attached with the request to this backend (for instance /foo/bff/v1/**)
  • Boot 3.4.5 as default transient dependency

8.1.11

  • gh-264 Use RestClient.Builder and WebClient.Builder exposed by the "official" Boot starter as base for those exposed by spring-addons

8.1.10

  • gh-263 Support empty security context with WebClient auto-configured with forward-bearer=true

8.1.9

  • gh-258 Class cast exception with @WithMockJwtAuth meta-annotaions

8.1.8

  • gh-254 Inject the authorized client manager and repository to SpringAddonsRestClientBeanDefinitionRegistryPostProcessor only when OAuth2 authorization is configured to use a registration.

8.1.7

  • gh-253 Fix the scope of spring-security-config which was declared twice in spring-addons-oauth2, spring-addons-oauth2-test and spring-addons-starter-oidc poms: once with compile and a then as optional & provided. Only the 2nd is necessary, so removed 1st.

8.1.5

  • gh-249 Add a property to disable SSL certificates validation for auto-configured REST clients. When client-http-request-factory-impl=jdk, only root authority validation is disabled (not the hostname, so the certificate CN or altnames must match the URL hostame). For other request factory implementations (jdk and jetty), both root authority and hostname validations are disabled.
  • Bump transient dependency on Spring Boot to 3.4.4

8.1.4

  • gh-247 WebClient beans auto-configured by spring-addons-starter-rest should take the (Reactive)OAuth2AuthorizedClientManager from the application context instead of building one from authorized client service and repo.

8.1.3

  • Boot 3.4.3 as transient dependency

8.1.2

  • restore the custom ServerCsrfTokenRequestAttributeHandler for reactive applications configured with HttpOnly=false CSRF cookie

8.1.1

  • Drop the multi-tenancy support for oauth2Login. Spring Security is way too targetted to single tenancy and the work-arounds are a nightmare to maintain. So, when configuring more than one registration with authorization_code, make sure that a user is logged out before allowing him to log in again. The resource-server_with_ui is modified with this new paradigm.
  • Fix the URIs generated by the default InvalidSessionStrategy introduced in 8.1.0
  • Switch from the deprecated OAuth2AuthorizedClientProvider (using RestTemplate) to the recent ones using RestClient
  • Make the RestClient/WebClient used by the (Reactive)OAuth2AuthorizedClientProvider easily configurable

8.1.0

  • Change the default InvalidSessionStrategy in the auto-configured security filter chain for servlets with oauth2Login. The new behavior is to create a new (anonymous) session and redirect to the same URI (retry with a new session cookie). This sensible default in most cases (including the servlet version of Spring Cloud Gateway configured as an OAuth2 BFF) and can be modified with invalid-session properties. For instance, to return a 401 with a Location header pointing to the /login endpoint (which should be included among security-matcher and permit-all):
com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        - iss: ${sso-issuer}
          authorities:
          - path: $.realm_access.roles
        client:
          client-uri: ${gateway-uri}
          security-matchers:
          - /login/**
          - /oauth2/**
          - /logout/**
          permit-all:
          - /login/**
          - /oauth2/**
          invalid-session:
            location: ${gateway-uri}/login
            status: UNAUTHORIZED
  • com.c4-soft.springaddons.oidc.client.oauth2-redirections.invalid-session-strategy is removed (replaced by com.c4-soft.springaddons.oidc.client.invalid-session.status)
  • Make ClientHttpRequestFactory configurable in spring-addons-starter-rest:
    • if the application conf contains such a bean, none is auto-configured
    • the default implementation for the auto-configured bean (JdkClientHttpRequestFactory) can be switched to HttpComponentsClientHttpRequestFactory (requires org.apache.httpcomponents.client5:httpclient5 to be on the class-path) or JettyClientHttpRequestFactory (requires org.eclipse.jetty:jetty-client to be on the class-path) using properties:
com:
  c4-soft:
    springaddons:
      rest:
        client:
          machin-client:
            http:
              # requires org.apache.httpcomponents.client5:httpclient5 to be on the class-path
              client-http-request-factory-impl: http-components
          bidule-client:
            http:
              # requires org.eclipse.jetty:jetty-client to be on the class-path
              client-http-request-factory-impl: jetty
  • Spring Boot 3.4.2 as transitive dependency

8.0.3

  • Support multiple FormattingConversionService in spring-addons-starter-openapi (when using spring-boot-starter-data-rest for instance, there are at least two)

8.0.2

  • Replace SimpleClientHttpRequestFactory with JdkClientHttpRequestFactory in auto-configured RestClient to support PATCH requests
  • Remove the chunk-size configuration property (it is ignored by most underlying HTTP clients)

8.0.1

  • Auto-configure static headers with spring-addons-starter-rest. Sample:
com:
  c4-soft:
    springaddons:
      rest:
        client:
          greet-client:
            base-url: ${client-uri}/api
            headers:
              X-API-KEY: change-me
  • Fix the token params for apps without oauth2Login and the new com.c4-soft.springaddons.oidc.client.token-params property (the params where applied only with the deprecated com.c4-soft.springaddons.oidc.client.token-request-params)

8.0.0

  • spring-addons-starter-rest now expose as @Bean some RestClient and WebClient instances (or builders) with the following configured using application properties:
    • Base URI
    • Basic or Bearer authorization. For the second, with a choice of using an OAuth2 client registration or forwarding the access token in the security context.
    • Connection & read timeouts
    • HTTP or SOCKS proxy, with consideration of the standard HTTP_PROXY and NO_PROXY environment variables (finer-grained configuration can be applied with custom properties)
  • spring-addons-starter-oidc auto-configuration for oauth2Login is improved with:
    • Working Back-Channel Logout, even with cookie-based CSRF protection and logout+jwt tokens (which makes it finally usable with OAuth2 BFF & Keycloak).
    • Configurable status for unauthorized requests. The default is still 302 Found (redirect to login), but it's a snap to change it to 401 Unauthorized (like REST APIs should return, even stateful ones).
  • OAuthentication now extends AbstractOAuth2TokenAuthenticationToken for a better integration with the rest of the Spring Security ecosystem. See the migration guide for details.

7.x Branch

For Spring Boot 3.3.x.

spring-addons-starter-rest provides "incubating" tooling for RestClient, WebClient and @HttpExchange proxy generation.

7.8.12

  • Fix some issues related to clientUri and RP-Initiated Logout on servlets with oauth2Login

7.8.11

  • Boot 3.3.4 as transitive dependency

7.8.10

  • Boot 3.3.3 as transitive dependency

7.8.9

  • Fix gh-226: broken introspection response parsing in reactive applications

7.8.8

  • Boot 3.3.2 as transitive dependency

7.8.7

  • Refactor CORS configuration:
    • expose a Cors(Web)Filter bean instead of configuring the (Server)HttpSecurity independently for client and resource server Security(Web)FilterChain with CORS config
    • deprecate com.c4-soft.springaddons.oidc.client and com.c4-soft.springaddons.oidc.resourceserver in favor of com.c4-soft.springaddons.oidc (the filter applies to all requests, and is the same whatever the filter-chain securing a given request)
    • for backward compatibility, all 3 configuration sources are merged into a single collection
    • a default Cors(Web)Filter bean is configured only if some CORS configuration properties are present (same as before) and if no Cors(Web)Filter bean is registered already (this is new)In other words, regarding CORS, spring-addons backs-of if a CORS filter is registered in application already, or if spring-addons CORS conf properties are omitted
com:
  c4-soft:
    springaddons:
      oidc:
        cors:
        - path: /machin/**
          allowed-origin-patterns: "*"
        - path: /truc/**
          allowed-origin-patterns:
          - "http://localhost:4200"
          - "http://*.chose.com"

7.8.6

  • Fix gh-203: CSRF protection for SPAs on spring-cloud-gateway was breaking requests forwarding when content-type was application/x-www-form-urlencoded

7.8.5

  • Fix gh-219: cast timestamp claims to Long instead of Integer in @WithJwt Authentication factory

7.8.4

  • Spring Boot 3.3.1 and Cloud 2023.0.2 as transitive dependencies

7.8.2

  • Add a configuration property for the internal URI used during Back-Channel Logout to actually disconnect the user

7.8.1

  • Fix default authorization failure handler auto-configuration
  • Add a error query parameter to authorization failure URI

7.8.0

  • Spring Boot 3.3.0 as transitive dependency

7.7.0

  • gh-213: native-images compatibility:
    • add missing @NestedConfigurationProperty to SpringAddonsOidcProperties#client and SpringAddonsOidcProperties#resourceserver
    • declare all other @ConfigurationProperty as nested classes of either SpringAddonsOidcProperties, SpringAddonsOidcClientProperties or SpringAddonsOidcResourceServerProperties

7.6.11

  • Spring Boot 3.2.4

7.6.10

  • Improve the declaration of additional parameters for authorization and token requests:
com:
  c4-soft:
    springaddons:
      oidc:
        client:
          authorization-request-params:
            auth0-confidential-user:
            - name: audience
              value: demo.c4-soft.com
          token-request-params:
            auth0-confidential-user:
            - name: audience
              value: demo.c4-soft.com

becomes:

com:
  c4-soft:
    springaddons:
      oidc:
        client:
          authorization-params:
            auth0-confidential-user:
              audience: demo.c4-soft.com
          token-params:
            auth0-confidential-user:
              audience: demo.c4-soft.com

For backward compatibility, the enhanced syntax is available from new parameters (authorization-request-params => authorization-params and token-request-params => token-params).

Note that multi-valued parameters are correctly handle for token endpoints, but there is a limitation in the way Spring's OAuth2AuthorizationRequest additional params are processed forcing to use single-valued parameters. If providing with a string array in spring-addons authorization-params properties, it is joined using comas.

  • SpringAddons(Server)OAuth2AuthorizationRequestResolver now exposes getOAuth2AuthorizationRequestCustomizer(HttpServletRequest request, String clientRegistrationId). To add parameters depending on the request, in addition to the PKCE token (if enabled) and "static" parameters defined in spring-addons properties, you can expose something like:
@Component
public class MyOAuth2AuthorizationRequestResolver extends SpringAddonsOAuth2AuthorizationRequestResolver {

	public MyOAuth2AuthorizationRequestResolver(
			OAuth2ClientProperties bootClientProperties,
			ClientRegistrationRepository clientRegistrationRepository,
			SpringAddonsOidcClientProperties addonsClientProperties) {
		super(bootClientProperties, clientRegistrationRepository, addonsClientProperties);
	}

	@Override
	protected Consumer<Builder> getOAuth2AuthorizationRequestCustomizer(HttpServletRequest request, String clientRegistrationId) {
		return new CompositeOAuth2AuthorizationRequestCustomizer(
				getCompositeOAuth2AuthorizationRequestCustomizer(clientRegistrationId),
				new MyDynamicCustomizer(request));
	}

	static class MyDynamicCustomizer implements Consumer<OAuth2AuthorizationRequest.Builder> {
		private final HttpServletRequest request;

		public MyDynamicCustomizer(HttpServletRequest request) {
			this.request = request;
		}

		@Override
		public void accept(OAuth2AuthorizationRequest.Builder authorizationRequest) {
			authorizationRequest.additionalParameters(params -> {
				// TODO: add parameters depending on the request
			});
		}
	}
}

7.6.8

  • gh-196 Fix NullPointerException when an HTTP request does not have an X-XSRF-TOKEN header in reactive clients configured with XSRF protection

7.6.7

  • Fix gh-195: RP-Initiated Logout disabling condition was incorrectly modified (not working when logout conf was missing)

7.6.6

  • gh-195 Fix the possibility to override the logout request uri (end_session endpoint)

7.6.5

  • gh-192 spring-security-oauth2-resource-server, spring-security-oauth2-client and spring-webflux should be optional dependencies

7.6.4

7.6.3

  • Spring Boot 3.2.3
  • add com.c4-soft.springaddons.oidc.client.pkce-forced property. Default to false. When true, PKCE is used by clients for authorization-code flows, even by confidential clients
  • move the BFF tutorial to Baeldung. It is also refreshed and now contains sample implementations for React (Next.js) and Vue (Vite).

7.6.0

  • move the experimental support for RestClient and WebClient to a dedicated starter: spring-addons-starter-rest. The reasons for that are:
    • spring-addons-starter-oidc is not necessary to use this helpers
    • OAuth2 authorization is optional for REST clients

7.5.4

  • experimental support beans for RestClient and WebClient

7.5.3

  • gh-188 Fix unnecessarily required audience in JWTClaimsSetAuthenticationManagerResolver

7.5.1

  • make (Reactive)SpringAddonsOAuth2AuthorizedClientBeans conditional on com.c4-soft.springaddons.oidc.client.token-request-params properties being present
  • fix missing SpringAddons(Reactive)JwtDecoderFactory default bean

7.5.0

  • Create spring-addons-starter-oidc README
  • Replace AuthoritiesMappingPropertiesResolver with OpenidProviderPropertiesResolver
  • OpenidProviderPropertiesResolver makes multi-tenancy much simpler to implement, including in "dynamic" scenarios (see spring-addons-starter-oidc README)
  • Fix names of (Server)HttpSecurityPostProcessor (synchronised impl where prefixed with Server which it shouldn't and reactive weren't when it should)
    • renamed HttpSecurityPostProcessor, ClientHttpSecurityPostProcessor and ResourceServerHttpSecurityPostProcessor from reactive packages to ReactiveHttpSecurityPostProcessor, ClientReactiveHttpSecurityPostProcessor and ResourceServerReactiveHttpSecurityPostProcessor
    • renamed ServerHttpSecurityPostProcessor, ClientHttpSecurityPostProcessor and ResourceServerHttpSecurityPostProcessor from synchronized packages to SynchronizedHttpSecurityPostProcessor, ClientSynchronizedHttpSecurityPostProcessor and ResourceServerSynchronizedHttpSecurityPostProcessor

7.4.1

  • gh-183 Allow anonymous CORS preflight requests (OPTIONS requests to a path configured with CORS)
  • gh-184 Configuration properties to add parameters to token requests (necessary for instance to add an audience when using client-credentials with Auth0)
  • Fix Back-Channel Logout activation

7.4.0

  • Change arrays for lists in spring-addons properties. Apparently, configuration properties meta-data is better generated for Lists...
  • Fix properties documentation issues (resource-server instead of resourceserver)

7.3.7

  • gh-182doubled path-prefix by SpringAddonsServerOAuth2AuthorizationRequestResolver

7.3.6

7.3.5

  • Boot 3.2.2 as transitive dependency

7.3.4

  • gh-178 authorization-request-params ignored

7.3.3

  • gh-176 Exception thrown when post-logout-redirect-path is null
  • gh-177 Post-login success & failure URI params and headers on authentication request are ignored in reactive applications

7.3.2

  • gh-174 Fix a regression on request to exchange authorization-code for tokens in servlet applications

7.3.1

  • gh-173 prevent NPE. Thanks to @yennor for finding the bug and submitting a fix.

7.3.0

  • gh-166
    • @WithMockJwtAuth authentication factory uses the authentication converter in the context or a JwtAuthenticationConverter if none is found
    • @WithMockBearerTokenAuthentication authentication factory uses the OpaqueTokenAuthenticationConverter in the context
  • gh-169 Per request post-login and post-logout URIs. It is now possible to set post-login success / failure URIs as header or request param when initiating oauth2Login. This URIs are saved in session and used by the default authentication success / failure handlers. Similarly, when using RP-Initiated Logout, the default logout success handler scans for a post-logout URI in headers and query params to override the default value in properties. The name for these headers, query params and session attributes are exposed by SpringAddonsOidcClientProperties.

7.1.16

  • Spring boot 3.2.0 as transient dependency

7.1.15

  • gh-155 Configurable HTTP status for responses to authorization_code flow initiation, authorization-code callback and logout. This makes BFF configuration easier for single page and mobile applications. Default OAuth2 response status (302 Found) can be overriden with:
com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        client:
          oauth2-redirections:
            pre-authorization-code: FOUND
            post-authorization-code: FOUND
            rp-initiated-logout: ACCEPTED

A per-request override can be done by setting X-RESPONSE-STATUS header with either a status code or label (for instance, both 201 and ACCEPTED are accepted as value).

7.1.14

7.1.13

  • gh-153 have the default opaque tokens introspector accept Integer, Long, Instant and Date as value type for iat and exp claims

7.1.12

  • Spring boot 3.1.5 as transient dependency
  • gh-151 scan application context for authenticationEntryPoint and accessDeniedHandler to auto-configure resource servers (default returns 401 for unauthorized requests instead of 302 redirect to login).

7.1.9

  • Spring boot 3.1.4 as transient dependency
  • gh-147 prevent addons test security conf to be auto-configured (complicates integration testing with test containers)

7.1.8

  • Fix servlet resource server with introspection auto-configuration

7.1.7

  • Enable to configure post-login and post-logout host (defaulted to client URI for backward compatibility)

7.1.5

  • Spring Boot 3.1.3

7.1.4

  • gh-144 remove useless dependency on spring-session.

7.1.1

  • Remove Back-Channel Logout experimental support. Follow the PR on Spring Security for official support.
  • Multi-tenancy support on OAuth2 clients is now optional and disabled by default. Set com.c4-soft.springaddons.oidc.client.multi-tenancy-enabled=true to keep it activated.
  • gh-140: use AOP instead of custom authorized-client repositories to support multi-tenancy on OAuth2 clients. That way, any configured authorized-client repository is instrumented (no need to proxy or extend spring-addons one).

7.0.8

  • client SecurityFilterChain with LOWEST_PRIORITY - 1 (instead of HIGHEST_PRIORITY + 1)
  • WWW_Authenticate header with Bearer value for resource servers unauthorized requests (instead of Basic)

7.0.7

7.0.6

  • Fix a confusion between user subject and principal name in SpringAddons(Server)OAuth2AuthorizedClientRepository which could cause an authorized client not to be found when using another claim than subject as principal name.

7.0.3

  • Fix the condition to add a filter inserting CSRF protection cookie to responses

7.0.0

See the migration guide

  • merge all 6 starters into a single one
  • reduce test libs count to 2: one with just annotations and another to ease testing of apps using the starter

6.x Branch

6.2.3

  • Spring Boot 3.1.3

6.2.2

6.2.1

  • Spring Boot 3.1.2
  • Fix a confusion between user subject and principal name in SpringAddons(Server)OAuth2AuthorizedClientRepository which could cause an authorized client not to be found when using another claim than subject as principal name.

6.2.0

  • remove OAuth2AuthenticationFactory: instead, use Converter<Jwt, ? extends AbstractAuthenticationToken>, Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>>, OpaqueTokenAuthenticationConverter or ReactiveOpaqueTokenAuthenticationConverter
  • create @WithJwt to build OAuth2 Authentication during tests, using a JSON string or file on the classpath and submitting it to the JWT authentication converter. All samples and tutorials are updated with this new annotation.
  • deprecate @WithMockJwt and @OpenId (use the new @WithJwt instead)
  • remove the archetypes

6.1.16

  • gh-133 Add a property to auto-configure an audience JWT validator (if present, the aud claim in the token will be checked to contain the URI provided in the conf)

6.1.15

  • gh-129 Auto-configure (with application properties) additional parameters for authorization-code request. This allows, for instance, to send an audience as required by Auth0. Additional parameters are defined for each client registration. In the following sample, client-registration a and b references an existing entries in spring.security.oauth2.client.registration:
com:
  c4-soft:
    springaddons:
      security:
        client:
          authorization-request-params:
            client-registration-a:
            - name: audience
              value: demo.c4-soft.com
            client-registration-b:
            - name: kc_idp_hint
              value: google
            - name: machin
              value: chose

6.1.14

  • gh-128 add @ClasspathClaims to load claims from a JSON file in the classpath (test resources for instance).
@Test
@WithMockJwtAuth(
  authorities = "ROLE_AUTHORIZED_PERSONNEL",
  claims = @OpenIdClaims(
    usernameClaim = "$['https://c4-soft.com/user']['name']",
    jsonFile = @ClasspathClaims("ch4mp.json")))
void givenUserIsAuthenticatedWithJsonClaims_whenGetClaims_thenOk() throws Exception {
  api.get("/greet").andExpect(status().isOk()).andExpect(content().string("Hello Ch4mp! You are granted with [ROLE_AUTHORIZED_PERSONNEL]."));
}
  • gh-127 add a json property to @OpenIdClaims to define all claims with a JSON string
@WithMockJwtAuth(
authorities = { "ROLE_AUTHORIZED_PERSONNEL" },
claims = @OpenIdClaims(
  usernameClaim = "$['https://c4-soft.com/user']['name']",
  json = """
{
  "https://c4-soft.com/user": {
    "name": "Ch4mp",
    "email": "ch4mp@c4-soft.com"
  },
  "aud": "https://localhost:7082"
}"""))

6.1.13

  • gh-125 Split claims used as GrantedAuthority source on comma and space (for instance, scope claim is usually a single string with comma separated scopes).

6.1.12

  • gh-122 Support for parametrized OAuth2 Authentications in @ParameterizedTest. In the following sample, mind the @JwtAuthenticationSource (decoring test) and @ParameterizedJwtAuth (decoring test method parameter). The first annotation defines the different authentication instances, the second inserts the one for the current test in the security context and provides it as test method parameter:
@ParameterizedTest
@JwtAuthenticationSource({ @WithMockJwtAuth("NICE"), @WithMockJwtAuth("VERY_NICE") })
void givenUserIsGrantedWithAnyNiceAuthority_whenGetRestricted_thenOk(@ParameterizedJwtAuth JwtAuthenticationToken auth) throws Exception {
	api.perform(get("/restricted"))
			.andExpect(status().isOk())
			.andExpect(jsonPath("$.body").value("You are so nice!"));
}

The above will run two distinct tests in sequence, one with each of the provided @WithMockJwtAuth. Same for:

  • @WithMockBearerTokenAuthentication with @BearerAuthenticationSource and @ParameterizedBearerAuth
  • @OpenId with @OpenIdAuthenticationSource and @ParameterizedOpenId
  • @WithOAuth2Login with @OAuth2LoginAuthenticationSource and @ParameterizedOAuth2Login
  • @WithOidcLogin with @OidcLoginAuthenticationSource and @ParameterizedOidcLogin

6.1.11

  • Spring Boot 3.1.0

6.1.10

  • Spring Boot 3.0.7

6.1.9

  • gh-112 fix CSRF token exposed to Javascript in servlets applications. Thanks to @giovannicandido for spotting and fixing this.

6.1.8

  • Spring Boot 3.0.6

6.1.7

  • create ServletConfigurationSupport and ReactiveConfigurationSupport in spring-addons-{webmvc|webflux}-core to remove code duplication from starters

6.1.5

  • add new helpers to type private claims in test annotations for Double, URIs, URLs and Date
  • add 1 level of nested claims to @Claims, the test annotation to define private claims in OAuth2 test annotations. It is not possible to describe recursive structures with annotation (annotation with a node of the same type as itself), which is an issue to describe a JSON document. To configure further nested claims, it is still possible to use @JsonObjectClaim with serialized JSON strings. Sample usage with all possible types of claims (hopefully, it will never be necessary to configure as many claims in a single test):
@WithMockJwtAuth(authorities = "ROLE_AUTHORIZED_PERSONNEL", claims = @OpenIdClaims(sub = "Ch4mpy", otherClaims = @Claims(
        intClaims = { @IntClaim(name = "int1", value = 42), @IntClaim(name = "int2", value = 51) },
        longClaims = { @LongClaim(name = "long1", value = 42), @LongClaim(name = "long2", value = 51) },
        doubleClaims = { @DoubleClaim(name = "double1", value = 4.2), @DoubleClaim(name = "double2", value = 5.1) },
        stringClaims = { @StringClaim(name = "str1", value = "String 1"), @StringClaim(name = "str2", value = "String 2") },
        uriClaims = { @StringClaim(name = "uri1", value = "https://localhost:8080/greet"), @StringClaim(name = "uri2", value = "https://localhost:4200/home#greet") },
        urlClaims = { @StringClaim(name = "url1", value = "https://localhost:8080/greet"), @StringClaim(name = "url2", value = "https://localhost:4200/home") },
        epochSecondClaims = { @IntClaim(name = "epoch1", value = 1670978400), @IntClaim(name = "epoch2", value = 1680648172)},
        dateClaims = { @StringClaim(name = "date1", value = "2022-12-14T00:40:00.000+00:00"), @StringClaim(name = "date1", value = "2023-04-04T00:42:00.000+00:00") },
        stringArrayClaims = { @StringArrayClaim(name = "strArr1", value = { "a", "b", "c" }), @StringArrayClaim(name = "strArr2", value = { "D", "E", "F" }) },
        jsonObjectClaims = { @JsonObjectClaim(name = "obj1", value = obj1), @JsonObjectClaim(name = "obj2", value = obj2)},
        jsonObjectArrayClaims = @JsonObjectArrayClaim(name = "objArr1", value = { obj3, obj4}),
        nestedClaims = { @NestedClaims(
                name = "https://c4-soft.com/user",
                intClaims = { @IntClaim(name = "nested_int1", value = 42), @IntClaim(name = "nested_int2", value = 51) },
                longClaims = { @LongClaim(name = "nested_long1", value = 42), @LongClaim(name = "nested_long2", value = 51) },
                doubleClaims = { @DoubleClaim(name = "nested_double1", value = 4.2), @DoubleClaim(name = "nested_double2", value = 5.1) },
                stringClaims = { @StringClaim(name = "nested_str1", value = "String 1"), @StringClaim(name = "nested_str2", value = "String 2") },
                uriClaims = { @StringClaim(name = "nested_uri1", value = "https://localhost:8080/greet"), @StringClaim(name = "nested_uri2", value = "https://localhost:4200/home#greet") },
                urlClaims = { @StringClaim(name = "nested_url1", value = "https://localhost:8080/greet"), @StringClaim(name = "nested_url2", value = "https://localhost:4200/home") },
                epochSecondClaims = { @IntClaim(name = "nested_epoch1", value = 1670978400), @IntClaim(name = "nested_epoch2", value = 1680648172)},
                dateClaims = { @StringClaim(name = "nested_date1", value = "2022-12-14T00:40:00.000+00:00"), @StringClaim(name = "nested_date1", value = "2023-04-04T00:42:00.000+00:00") },
                stringArrayClaims = { @StringArrayClaim(name = "nested_strArr1", value = { "a", "b", "c" }), @StringArrayClaim(name = "nested_strArr2", value = { "D", "E", "F" }) },
                jsonObjectClaims = { @JsonObjectClaim(name = "nested_obj1", value = obj1), @JsonObjectClaim(name = "nested_obj2", value = obj2)},
                jsonObjectArrayClaims = @JsonObjectArrayClaim(name = "nested_objArr1", value = { obj3, obj4}))})))

6.1.4

  • gh-106: Properties to disable spring-addons security filter-chain auto-configuration:
    • for clients: empty path-matchers array or com.c4-soft.springaddons.security.client.enabled=false
    • for resource servers: com.c4-soft.springaddons.security.enabled=false

6.1.3

6.1.2

  • boot 3.0.4
  • add a BFF tutorial

6.1.1

6.1.0

  • breaking change in properties: authorities mapping is now configured per claim JSON path (instead of per issuer). This enables to use different prefix (and case) for different claims (for instance SCOPE_ for scope claim and ROLE_ for realm_access.roles one). As a consequence, com.c4-soft.springaddons.security.issuers[].authorities.claims[] is replaced with com.c4-soft.springaddons.security.issuers[].authorities[].path.Also, prefix as well as case are put at the same level as (JSON) path.

Sample migration with YAML:

com:
  c4-soft:
    springaddons:
      security:
        issuers:
        - location: ${keycloak-issuer}
          username-claim: preferred_username
          authorities:
            prefix: ROLE_
            claims:
            - realm_access.roles
            - resource_access.client1.roles

Becomes:

com:
  c4-soft:
    springaddons:
      security:
        issuers:
        - location: ${keycloak-issuer}
          username-claim: $.preferred_username
          authorities:
          - path: $.realm_access.roles
            prefix: ROLE_
          - path: $.resource_access.client1.roles
            prefix: ROLE_
  • "pseudo" JSON path for username and authorities claims is now actual JSON path. This means that $.resource_access.*.roles will be successfully accepted. Thanks to JSON path syntax, this is not a breaking change ($.resource_access.client1.roles and resource_access.client1.roles are interpreted the same)
  • bump to Spring Boot 3.0.3

6.0.16

  • Add a username-clame configuration property to define, per issuer, from which claim of the access token should be retrieved the username (what is returned by Authentication::getName). Default is subject for backward compatibility

6.0.15

  • gh-100 prevent a NPE in reactive resource-server using JWT spring-addons starter when the issuer in an access token is not listed in conf. All credits go to lArtiquel who spotted the bug and submitted the fix.

6.0.13

  • create ServerHttpRequestSupport and HttpServletRequestSupport to help statically access to the request in current context (usage in authentication converters for instance

6.0.12

  • add @WithOAuth2Login and @WithOidcLogin to populate test security-context with an OAuth2AuthenticationToken instance (with respectively DefaultOAuth2User and DefaultOidcUser as principal)
  • bump to spring-boot 3.0.2
  • default authorities collection in tests annotations, MockMvc post-processors and WebTestClient mutators is set to empty array (instead of { "ROLE_USER" })

6.0.11

  • gh-86 OAuthentication::setDetails should not throw until spring-security 6.1 is released
  • gh-87 spring-addons JWT starters should start even if spring.security.oauth2.resourceserver.jwt.issuer-uri is set in configuration properties

6.0.10

  • gh-83 do not force traffic to http when SSL is not enabled (just force https when SSL is enabled)

6.0.9

  • Make OAuthentication immutable

6.0.7

  • release with spring-boot 3.0.0 GA as transitive dependency

6.0.1

  • samples for all combinations of:
    • webmvc / webflux
    • JWT decoder / access token introspection
    • OAuthentication<OpenidClaimSet> / Spring default Authentication implementation (JwtAuthenticationToken for JWT decoder or BearerTokenAuthentication for token introspection)
  • minor fixes (@WithMockAuthentication and reactive + introspection starter)

6.0.0

5.x branch

This branch is not maintained anymore. Only versions compatible with Spring 6.1.x (Boot 3.1.x) and JDK >= 17 are maintained.

5.4.2

  • gh-100 prevent a NPE in reactive resource-server using JWT spring-addons starter when the issuer in an access token is not listed in conf. All credits go to lArtiquel who spotted the bug and submitted the fix.

5.4.0

  • Use a single bean name for
    • ServletSecurityBeans and ReactiveSecurityBeans: AddonsSecurityBeans
    • @AutoConfigureAddonsSecurity{Webmvc|Weblux}{Jwt|Introspecting}: @AutoConfigureAddonsSecurity
  • Add @AutoConfigureAddonsWebSecurity to do the same as existing @AutoConfigureAddonsSecurity which now loads authorities converter only (useful to unit-test @Components that are not @Controller).
  • More options for CSRF configuration (enum property instead of a boolean) and CSRF disabled by default when session-management is state-less.
  • Compatibility with JDK 1.8 and spring-boot 2.6 (get version 6.x for spring-boot 3 and JDK 17)
  • webflux dependencies cleanup (were pulling some servlet dependencies)
  • All samples now demo @Service and @Repository unit-tests in addition to @Controller ones.

5.3.0

Use JwtAuthenticationToken or BearerAuthenticationToken by default in resource-server starters. For some reason, OAuthentication<OpenidClaimSet> frightens rookies.

  • make OAuth2AuthenticationFactory @Bean optional.
  • remove OAuth2ClaimsConverter (interface definition and @ConditionalOnMissingBean)
  • remove the recently added oauth2-authentication-factory-enabled property (instead, evaluate if an OAuth2AuthenticationFactory bean was provided)

5.2.2

  • resource-server starter main beans (Security(Web)FilterChain) are no-longer "conditional on missing": if you dan't want it, don't pull starter lib.
  • add oauth2-authentication-factory-enabled flag to easily fall-back to Spring default OAuth2 Authentication implementations (JwtAuthenticationToken and BearerTokenAuthentication for resource-servers with respectively JWT decoder or opaque token introspection)

5.1.3

  • keycloak 19
  • release with JDK 17 and boot 2.7.2
  • release with JDK 1.8 and boot 2.6.10

5.1.0

  • Support token introspection for resource-servers.
  • Rename spring-addons-*-jwt-resource-server-test to spring-addons-*-test as it apply for both JWT and introspection

5.0.0

Rename modules to:

  • have all module names start with spring-addons prefix, then intermediate module if any (archetypes, samples, starters, webmvc or webflux) and last what leaf module aims at
  • better reflect what it does

For instance, spring-security-oauth2-webmvc-addons only applies to resource-servers secured with JWTs (not to opaque tokens) -> renamed to spring-addons-webmvc-jwt-resource-server

Rename com.c4-soft.springaddons.security.token-issuers configuration properties to com.c4-soft.springaddons.security.issuers for the same reason: only accepts JWT token issuers (and not opaque token issuers with introspection end-point for instance)

4.5.0

CSRF enabled by default, using CookieCsrfTokenRepository if session management is "stateless".

4.4.4

gh-53 GenericMethodSecurityExpressionHandler should accept expression root suppliers for many authentication type

4.4.2

add reCAPTCHA validation spring-boot starter

4.4.1

rename @WithMockOidcAuth to shorter and more expressive @OpenId: it populates test security context with an OAuth2 Àuthentication containing an OpenID claim-set

4.4.0

  • rename OpenidClaimSet to OpenidClaimSet: more expressive as this class contains OpenID token claims only
  • rename OAuthentication to OAuthentication: it has no more adherence to OpenID (just specific to authentication with encoded claims in a bearer string)

4.3.2

Slight properties rework. Now, to configure issuers and authorities mapping:

# should be set to where your authorization-server is
com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master

# should be configured with a list of private-claims this authorization-server puts user roles into
# below is default Keycloak conf for a `spring-addons` client with client roles mapper enabled
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,resource_access.spring-addons-public.roles,resource_access.spring-addons-confidential.roles

# use IDE auto-completion or see SpringAddonsSecurityProperties javadoc for complete configuration properties list

where caze is one of unchanged, upper or lower

4.3.0

  • gh-50: One entry per authorization-server for authorities mapping (see samples application.properties files for new configuration structure).
  • gh-51: Group archetypes, webmvc and webflux modules.

4.2.1

  • gh-49: Samples in dedicated modules. All samples are moved from libs tests to samples module, with one sub-module per sample.

4.2.0

Cleanup and prepare for spring-boot 3:

  • gh-46: split webmvc & webflux content from spring-addons-oauth2
  • gh-47: provide SecurityFilterChain bean instead of extending WebSecurityConfigurerAdapter
  • gh-48: make use of spring-boot @AutoConfiguration

4.1.5

  • Replace multiple JWT issuers JwtDecoder (from 4.1.4) with AuthenticationManagerResolver @Beans

4.1.4

  • JwtDecoder for configuring multiple JWT issuers (single resource server accepting IDs from two or more authorization-servers)

4.1.3

  • finer configuration control with SpringAddonsSecurityProperties

4.0.0

  • move keycloak related code to spring-addons-keycloak

3.2.0

  • Master branch back to single JDK: 17
  • Create jdk1.8 and jdk11 branches

3.1.16

3.1.13

  • Add a sample with OpenidClaimSet specialisation (parse private claims in addition to authorities).

3.1.12

  • Improve OidcReactiveApiSecurityConfig and OidcServletApiSecurityConfig usability: ease security beans replacement (including authorities and authentication converter for use cases where OAuthentication is not enough)

3.1.11

  • Rename SecurityProperties to less conflicting SpringAddonsSecurityProperties

3.1.10

  • Turn AbstractOidc...ApiSecurityConfig into Oidc...ApiSecurityConfig with default authorities mapper being keycloak or Auth0 depending on com.c4-soft.springaddons.security.keycloak.client-id being set or not
  • More CORS and authorities mapping configuration in SecurityProperties

3.1.8

  • Fix missing JTI claim mapping from @OpenIdClaims (gh-35).

3.1.7

  • Add AbstractOidcReactiveApiSecurityConfig to spring-addons-oauth2. It provides with reasonable default WebSecurityConfig for a reactive (weblux) based API secured with OAuthentication.

3.1.6

  • Add AbstractOidcServletApiSecurityConfig to spring-addons-oauth2. It provides with reasonable default WebSecurityConfig for a servlet based API secured with OAuthentication.

3.1.4

  • lombok with provided scope (gh-31)

3.1.3

  • spring-boot 2.6.1
  • release with JDK version (compilation and runtime target)

3.1.0

  • spring-boot 2.6

3.0.0

  • in OAuth2 related test annotations all claims are now grouped under a single claims = @OpenIdClaims(...)
  • @WithMockJwtAuth in addition to @WithMockKeycloakAuth and @WithMockOidcAuth
  • some code cleanup, quite a bunch of code removed and some renaming (including breaking changes, reason for new major version)

2.6.6

  • import spring-boot 2.5.5 BOM (instead of inheriting 2.5.4 POM)

2.6.5

  • Downgrade Java compatibility to 1.8

2.6.1

  • spring-boot 2.5.4

2.6.0

  • replace KeycloakOidcIdAuthenticationConverter with SynchronizedJwt2OidcIdAuthenticationConverter and complement it with ReactiveJwt2OidcIdAuthenticationConverter
  • remove references to Keycloak from spring-addons-oauth2 (implementations where mostly useless)

2.5.4

  • bump Keycloak BOM to 14.0.0

2.5.3

  • bump spring-boot to 2.5

2.5.1

  • introduce @JsonObjectClaim and @JsonArrayClaim to configure complex private claims. Sample: @WithMockKeycloakAuth(otherClaims = @ClaimSet(jsonObjectClaims = @JsonObjectClaim(name = "foo", value = "{\"bar\":\"bad\", \"nested\":{\"deep\":\"her\"}, \"arr\":[1,2,3]}"))) or @WithMockOidcId(privateClaims = @JsonObjectClaim(name = "foo", value = "{\"bar\":\"bad\", \"nested\":{\"deep\":\"her\"}, \"arr\":[1,2,3]}"))

2.4.1

2.4.0

  • rename ServletKeycloakAuthUnitTestingSupport::keycloakAuthenticationToken() to authentication() to improve API fluidity (api.with(keycloak.authentication()).get(...))

2.3.0

  • implementation closer to open ID specs: split claims into @IdTokenClaims and @OidcStandardClaims
  • re-use OIDC ID annotations into @WithMockKeycloakAuth

2.2.0

  • OidcId::getName() returns subject claim instead of preferred_username
  • replace name with subject in @WithMockOidcId
  • replace name from @WithMockKeycloakAuth with preferedUsername in @WithAccessToken
  • support for private claims in @WithMockOidcId and @WithMockKeycloakAuth (claims with values of type int, long, String and String[] only)
  • add missing subject claim in Keycloak access and ID tokens
  • compose @WithAccessToken with @WithKeycloakIDToken instead of repeating properties (AccessToken extends IDToken)
  • add advanced @WithMockKeycloakAuth sample usage in spring-addons-oauth2-test README

2.1.0

  • fix Keycloak typo (was wrongly spelled Keycloack at many places)
  • add samples with authorities retrieved from a DB instead of the JWT for both OAuthentication and JwtAuthenticationToken
  • add sample involving keycloak-spring-boot-starter and keycloak-spring-security-adapter

2.0.0

This release is still focused on unit-testing Spring OAuth2 applications

  • @WithMockAuthentication annotation along with mockAuthentication() servlet (webmvc) and reactive (webflux) flow APIs. You choose the Authentication type, the framework feeds the security context with a Mockito mock. This is dead simple but should cover 99% of test cases. I wonder why I didn't think of it sooner...
  • Focus solely on adding to Spring Authentication implementations and tests tooling (no more alternatives, with an exception for OidcId which overlaps Spring's OidcIdToken)
  • Split webmvc (servlets) and webflux (reactive) code in distinct libs to ease dependency management
  • Re-shuffle packages and jars (less code, less jars, more expressive package names)
  • WIP: Extensives samples and tests. Samples are boot apps under src/test to keep jars small
  • Use Keycloak as authorisation-server for all resource-server samples, each of which configuring a specific Authentication impl

Note that I chose Keycloak because it's a feature rich, easy to setup authorisation-server. It should not be much of an effort to migrate sample resource-servers to another one, with an exception to those using KeycloakAuthenticationToken as authentication impl, of course.