Issue
Now I have this configuration:
spring:
security:
oauth2:
client:
registration:
sbbol:
client-id: zdcffffff
client-secret: ffffffffff
scope:
- openid
client-authentication-method: post
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
client-authentication-scheme: form
provider:
sbbol:
authorization-uri: ${SBBOL_AUTH_URI}
token-uri: ${SBBOL_AUTH_URI}
user-info-uri: ${SBBOL_AUTH_URI}
user-name-attribute: sub
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().disable();
http.cors().disable();
http.csrf().disable();
http.requestMatchers()
.antMatchers("/login", "/oauth2/authorization/sbbol", "/login/oauth2/code/sbbol")
.and()
.authorizeRequests().anyRequest().authenticated();
http.oauth2Login()
.defaultSuccessUrl("/user")
.permitAll();
}
}
this works, but my provider asks me to change the client-secret every 30 days via a rest api call. I have a question, how do I set the new client-secret in Spring Security? Maybe I can store the configuration in the database?
Solution
I created my own implementation for org.springframework.security.oauth2.client.registration.ClientRegistrationRepository. I can store the settings in the database and change them.
@Component
@RequiredArgsConstructor
public class JdbcClientRegistrationRepository implements ClientRegistrationRepository {
private final SsoProviderConfigurationRepository ssoProviderConfigurationRepository;
@Override
public ClientRegistration findByRegistrationId(String registrationId) {
Assert.hasText(registrationId, "registrationId cannot be empty");
SsoProviderConfiguration providerConfiguration = ssoProviderConfigurationRepository.findByRegistrationId(registrationId)
.orElseThrow(() -> new RuntimeException("ClientRegistration not found by id=" + registrationId));
String[] scopes = providerConfiguration.getScope().split(",");
return ClientRegistration.withRegistrationId(providerConfiguration.getRegistrationId())
.clientId(providerConfiguration.getClientId())
.clientSecret(providerConfiguration.getClientSecret())
.clientName(providerConfiguration.getClientName())
.authorizationGrantType(new AuthorizationGrantType(providerConfiguration.getAuthorizationGrantType()))
.authorizationUri(providerConfiguration.getAuthorizationUri())
.clientAuthenticationMethod(new ClientAuthenticationMethod(providerConfiguration.getClientAuthenticationMethod()))
.scope(scopes)
.tokenUri(providerConfiguration.getTokenUri())
.userInfoAuthenticationMethod(new AuthenticationMethod(providerConfiguration.getAuthenticationMethod()))
.userInfoUri(providerConfiguration.getUserInfoUri())
.userNameAttributeName(providerConfiguration.getUserNameAttributeName())
.redirectUri(providerConfiguration.getRedirectUri())
.build();
}
}
My entity
@Entity
@Table(name = "sso_provider_configuration")
@Getter
@Setter
@NoArgsConstructor
public class SsoProviderConfiguration implements Serializable {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id", unique = true, nullable = false)
private Long id;
private String registrationId;
private String clientId;
private String clientSecret;
private String clientAuthenticationMethod;
private String authorizationGrantType;
private String redirectUri;
private String scope;
private String clientName;
private String authorizationUri;
private String tokenUri;
private String jwkSetUri;
private String issuerUri;
private String authenticationMethod;
private String userNameAttributeName;
private String UserInfoUri;
}
Repository
public interface SsoProviderConfigurationRepository extends JpaRepository<SsoProviderConfiguration, Long> {
Optional<SsoProviderConfiguration> findByRegistrationId(String code);
}
Answered By - Aleksandr Erokhin
Answer Checked By - Cary Denson (JavaFixing Admin)