Summary
Our project will include the spring-security-oauth2-core and client libraries, which causes the OAuth2WebSecurityConfiguration class to create a WebSecurityConfigurationAdapter unless it finds one pre-configured.
Actual Behavior
This may seem sensible and works for simple use-cases, but one may wish to include the oauth2 library and not see oauth2 automatically enabled - for example if the ClientRegistrationRepository has discovered no ClientRegistration objects.
Expected Behavior
All that's required is a property and @Condition on the OAuth2WebSecurityConfiguration to disable the class when a property is set, perhaps spring.security.oauth2.client.disabled=true. Or a condition to verify that InMemoryClientRegistrationRepository.iterator().hasNext() is false. This would require a change to the ClientRegistrationRepository interface, perhaps a new method hasClients()?
Version
5.0.6
Comment From: jgrandja
@j-m-baker This is a Spring Boot specific feature so it should be logged here.
Spring Boot already provides the capability for disabling auto-configuration. See Disabling Specific Auto-configuration Classes.
The specific auto-configuration classes you'll want to disable is OAuth2ClientAutoConfiguration or ReactiveOAuth2ClientAutoConfiguration.
Comment From: hohwille
For the record: I have the same need. For a specific test-environment scenario we need to be able to disable the OAuth2 / OIDC dynamically based on some configuration (e.g. in application.properties). The proposed workaround seems to only work in a static way (if hardcoded) and not dynamically.
Did I miss something and is there some way to configure this via some System property or via application.properties?
Comment From: Elyviere
@hohwille Did you find a solution to this? I'm attempting to add OAuth to an app that's intended to be self-hosted, i.e. it should be possible to activate oidc but not a requirement. Currently, if I don't set valid oidc configuration in application.properties, the app doesn't even start.