Allow autoconfiguration without any JWT

[OrangeDog]

I'm using opaque tokens, not JWT, so I have no need for any of the related beans or dependencies in my resource or authorization servers.

However, OAuth2AuthorizationServerJwtAutoConfiguration insists on declaring a JWKSource bean, which triggers the spring security configurations to set up more JWK-related stuff.

I also tried explictly excluding that auto-configuration, but the main one also depends on spring-jose classes via OAuth2AuthorizationServerPropertiesMapper:

java.lang.NoClassDefFoundError: org/springframework/security/oauth2/jose/jws/JwsAlgorithm
	at org.springframework.boot.autoconfigure.security.oauth2.server.servlet.OAuth2AuthorizationServerConfiguration.<init>(OAuth2AuthorizationServerConfiguration.java:41)
	at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
	at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:209)

So I could manually disable the autoconfiguration and keep the dependencies, but I was wondering if you could make it a little more decoupled with some extra conditions somewhere?

[wilkinsona]

Looking at OAuth2AuthorizationServerJwtAutoConfiguration, I think there are some bugs in its conditions at the moment. I've opened #45177.

Beyond that, it's hard to say what we could do with some extra conditions without knowing more about your situation. Could you please provide some more details about your app, its configuration properties, and its dependencies? The ideal would be a minimal sample and details of what you would and would not like it to auto-configure.

[OrangeDog]

For example, a dependency of spring-boot-starter-oauth2-authorization-server:3.4.4.

You only need OAuth2AuthorizationServerJwtAutoConfiguration if:

• OAuth2ResourceServerConfigurer.jwt() has been called without a JwtDecoder definition, or
• There is a RegisteredClient that returns self-contained for its token format, and there's no JWKSource definition or custom OAuth2TokenGenerator.

Unfortunately, I don't think you can actually write conditions for any of that. Spring Security configuration will use beans by default, but you can also directly pass objects that aren't beans, triggering the need for other beans. Because Spring Boot ensures the JWKSource always exists, Spring Security generates a bunch more configuration with no way to disable it.

Note also that the autoconfigured JWKSource is completely unusable except for testing, as the key rotates every restart.
Suggestion: connect this to the SSLBundle system, so you can configure the keypair to use for the JWKSource, otherwise do not create the bean.

Theoretically it should be also possible to add exclusions for spring-security-oauth2-jose and nimbus-jose-jwt, but that is less important.

[wilkinsona]

Yeah, I don't think we could write conditions for that either.

OAuth2AuthorizationServerPropertiesMapper provides two different mapping capabilities, one for creating AuthorizationServerSettings and one for creating a list of RegisteredClients. Only the latter needs spring-security-oauth2-jose but neither capability can be used without spring-security-oauth2-jose as its absence prevents OAuth2AuthorizationServerPropertiesMapper from loading. Mapping to a RegisteredClient list isn't needed when there's a user-defined RegisteredClientRepository or no spring.security.oauth2.authorizationserver.client properties have been configured.

We could get OAuth2AuthorizationServerPropertiesMapper to work without spring-security-oauth2-jose fairly easily by splitting the mapper in two or by making it reference classes from spring-security-oauth2-jose more defensively, however I'm not sure that Authorization Server has been designed with such usage in mind. @jgrandja, before we do anything about this, can you confirm that it makes sense to offer some auto-configuration for authorization server without spring-security-oauth2-jose on the classpath? If it doesn't make sense and you consider spring-security-oauth2-jose to be a mandatory dependency, perhaps we need a property to control the auto-configuration of JWT-related beans?

[jgrandja]

@OrangeDog spring-security-oauth2-jose is required if OAuth2AuthorizationServerConfigurer.oidc() is configured or OAuth2AuthorizationServerConfigurer.oidc.clientRegistrationEndpoint() is configured. The OpenID Connect 1.0 UserInfo Endpoint and OpenID Connect 1.0 Client Registration Endpoint both require a JwtDecoder @Bean, as documented in Default Configuration.

If you are not using these endpoints then make sure you don't configure OAuth2AuthorizationServerConfigurer.oidc() and you can simply @SpringBootApplication(exclude = {OAuth2AuthorizationServerJwtAutoConfiguration.class}). I tried this with Demo Sample and it started successfully.

[OrangeDog]

@jgrandja you must have not actually removed the dependency, because OAuth2AuthorizationServerAutoConfiguration 100% requires it (in Boot 3.4.5), as shown by the exception in the issue description. So does OAuth2AuthorizationServerJackson2Module, but being able to exclude the dependencies isn't important.

Yes you can manually exclude OAuth2AuthorizationServerJwtAutoConfiguration to avoid the bean problems. This issue can probably be closed, as I don't think it's possible to do better with conditions.