Skip to content

Allow disabling OAuth2 / OIDC provider discovery explicitly #42172

Open
@delbertooo

Description

@delbertooo

I think it would be useful to disable the OAuth2 / OIDC discovery explicitly. At this moment this is possible implicitly by configuring every necessary detail of the clients registration and provider but skipping the providers issuerUri. This disables the discovery via OAuth2ClientPropertiesMapper.

Why

  • Someone wants the service to not require the IdP to be available at startup.

  • Some code may need the issuerUri to function properly.

    In fact, there already is such code: Spring Securitys OIDC back channel logout validates the providers issuerUri in OidcBackChannelLogoutTokenValidator and ends up with a NPE if you did not set an issuerUri.

    So setting the issuerUri means you are forced to use discovery.
    Leaving it null means no working back channel logout, at least not with auto configuration.

How?

I'm not quite sure. Maybe a new property:

# default (fallback) value: true
spring.security.oauth2.client.provider.MY_PROVIDER.discovery=false

Setting this to false would opt-out the discovery. The current behaviour should be kept as default.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions