chore(springboot): upgrade to Spring Boot 4 / Spring Security 7 and fix 5 SDK bugs

[KomanRudden]

Summary

Upgrades kinde-springboot-starter and kinde-springboot-core to Spring Boot 4.0.6, Spring Security 7.0.5 and the Java 25 toolchain (Java 17+ runtime baseline).

Beyond the framework bump, live end-to-end testing against a real Kinde tenant uncovered five real SDK bugs that prevented every Kinde-on-Spring-Boot user from getting a working setup. All five are fixed here.

Bugs found and fixed

1. Missing OAuth2 starters in kinde-springboot-starter. Spring Boot 4 split OAuth2 auto-configuration out of spring-boot-autoconfigure into dedicated starters; the starter pom did not follow.
   Symptom previously: NoClassDefFoundError for OAuth2ClientProperties on startup.

2. Token-exchange RestClient was missing required converters. The custom RestClient that talks to Kinde's /token endpoint did not register FormHttpMessageConverter, OAuth2AccessTokenResponseHttpMessageConverter or OAuth2ErrorResponseErrorHandler — all of which Spring Security 7 now requires.
   Symptom previously: NullPointerException during the OIDC login callback, browser ends up in a redirect loop.

3. JWT audience validator rejected every default Kinde token. The validator was hardcoded with the Okta sample default "api://default" and always enforced. Real Kinde access tokens carry an empty aud array until you explicitly configure an API resource on the dashboard. Audience checking is now opt-in (enforced only when kinde.oauth2.audience is set).
   Symptom previously: 401 "This aud claim is not equal to the configured audience" on every Bearer-token-protected endpoint.

4. RP-Initiated logout never wired up. The OidcClientInitiatedLogoutSuccessHandler bean was conditional on a property named okta.oauth2.post-logout-redirect-uri — a leftover from the Okta fork this code descends from. Same typo existed in the reactive variant. Both conditionals are now kinde.oauth2.post-logout-redirect-uri, which KindeOAuth2Configurer wires into every HttpSecurity via META-INF/spring.factories.

5. Spring Security 6 → 7 source incompatibilities in tests. Removed and renamed APIs updated. 5 new TokenUtilTest cases added covering the audience-opt-in behaviour and a wrong-issuer regression.

Test plan

• mvn -fae verify from repo root — 16/16 modules SUCCESS
• mvn -N test in kinde-springboot-core — 52/52 tests pass (incl. 5 new ones)
• Servlet oauth2Login end-to-end against live Kinde tenant — login round-trip works
• Reactive oauth2Login with PKCE force-enabled — login round-trip works in WebFlux app
• Thymeleaf full example (custom OIDC user service, role-based @PreAuthorize, dashboard, account portal) — all routes work
• Resource-server JWT path — GET /api/me with a real Bearer token returns 200 with both SCOPE_* and Kinde permissions merged into Spring authorities
• Sign-up flow — /registration correctly propagates prompt=create to the Kinde authorize URL
• Invitation code flow — ?invitation_code=... correctly propagates invitation_code + is_invitation=true to the Kinde authorize URL
• RP-Initiated logout — browser-confirmed: POST /logout → 302 to https://<tenant>.kinde.com/logout?id_token_hint=…&post_logout_redirect_uri=… → 302 back, fully logged out
• Reactive JWT decoder — programmatic probe constructs the exact bean the auto-config builds and decodes a real Kinde JWT against the live JWKS endpoint (WebClient + signature + validator path all green)

Reviewer notes

Behaviour changes downstream users should be aware of

These are documented in MIGRATION.md:

• kinde.oauth2.audience is now opt-in. If you previously relied on the implicit "api://default" default, set the property explicitly. (Highly unlikely to affect anyone — the previous default rejected every valid Kinde token.)
• okta.oauth2.post-logout-redirect-uri → kinde.oauth2.post-logout-redirect-uri. Same rename for the reactive variant.
• Java 17+ required at runtime (Spring Boot 4 baseline). SDK is built on JDK 25, targets JDK 17 bytecode.

Playground changes

• kinde-springboot-starter-example gained a small Bearer-only SecurityFilterChain plus ApiController and DebugController so contributors can verify the resource-server path in seconds with a curl. DebugController is gated behind oauth2Login and clearly not for production.
• kinde-springboot-pkce-client-example yaml renamed the registration id from pkce to kinde so the default callback /login/oauth2/code/kinde matches the redirect URI registered on the Kinde dashboard.
• kinde-springboot-thymeleaf-full-example application.properties had hardcoded tenant URLs (koman.kinde.com) — now parameterised via ${KINDE_PREFIX}, matching the rest of the file.
• .env example refreshed with placeholder values for new contributors.

Other cleanup included in this PR (separate commits, no behaviour change)

• New kinde-report-aggregate/README.md explaining what that previously-mysterious module does (JaCoCo coverage aggregator).
• Removed empty src/main/java/com/example/demo/controller/MainController.java at repo root (a Spring Initializr leftover, never referenced).
• Sweep of stale "Okta" terminology in comments, log messages, javadoc and one PropertySource name.

Commits

Checklist

• I have read the “Pull requests” section in the contributing guidelines.
• I agree to the terms within the code of conduct.

🛟 If you need help, consider asking for advice over in the Kinde community.

Summary by CodeRabbit

• New Features

  • JWT-protected /api endpoints, /debug token-inspection endpoint, dedicated API security chain, and RP-initiated OIDC logout support.

• Improvements

  • Centralized/upgraded Spring Boot, Spring Security and JUnit via BOMs; modernized servlet/reactive security DSL and OAuth2 wiring; audience validation enforced only when configured; proxy-aware HTTP client and improved token endpoint resolution; Kinde-specific property/docs clarifications.

• Tests

  • Expanded focused unit tests across OAuth2 flows, resource-server branches and JWT audience/issuer cases; removed debug prints.

• Chores

  • Cleaned build/config comments and plugin bindings (Jacoco/compile settings).

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Centralize BOM/version management for Spring Boot 4 and Spring Security 7; migrate servlet and reactive security DSLs to Customizer lambda style; replace RestTemplate token exchange with RestClient; add RestClient builder; update Kinde properties/docs and imports; expand tests and add playground API/debug endpoints.

Changes

Spring Boot 4 and Spring Security 7 Upgrade

Layer / File(s)	Summary
Dependency and Build Configuration Management kinde-springboot/kinde-springboot-core/pom.xml, kinde-springboot/kinde-springboot-starter/pom.xml, playground/*/pom.xml, pom.xml	Centralize Maven properties and dependencyManagement importing Spring Boot and Spring Security BOMs; pin JUnit Jupiter and Jackson BOM; remove explicit versions from managed Spring artifacts; tidy Jacoco and compiler plugin configuration; pin Guice/Guava/Lombok where applicable.
Servlet OAuth2 Security DSL Migration kinde-springboot-core/src/main/java/com/kinde/spring/Kinde.java, kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2AutoConfig.java	Refactor servlet OAuth2 login and authorization-endpoint wiring to use Spring Security 7 lambda-style DSL (Customizer callbacks) and update authorizationRequestResolver wiring and conditional property names.
KindeOAuth2Configurer Refactor & Token Exchange kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2Configurer.java	Remove checked exceptions from init, use lambda DSL for logout and resource-server, consolidate reflective field access into Optional-returning helpers, add unsetJwtConfigurer, and migrate authorization-code token exchange from RestTemplate/DefaultAuthorizationCodeTokenResponseClient to RestClient/RestClientAuthorizationCodeTokenResponseClient.
OAuth2ResourceServerAutoConfig RestClient Builder kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfig.java	Introduce restClient(...) builder returning a Spring Security 7 RestClient configured with proxy, Kinde interceptors, optional basic auth, OAuth2 token message converters, and OAuth2 error handler; simplify restTemplate initialization.
Reactive OAuth2 Security DSL Migration kinde-springboot-core/src/main/java/com/kinde/spring/ReactiveKindeOAuth2AutoConfig.java, ReactiveKindeOAuth2ResourceServerHttpServerAutoConfig.java, ReactiveKindeOAuth2ServerHttpServerAutoConfig.java	Refactor reactive ServerHttpSecurity/SecurityWebFilterChain configurations to lambda-style DSL, update @AutoConfigureBefore targets, and simplify JWT decoder/customizer wiring.
OAuth2ResourceServerProperties Import Updates kinde-springboot-core/src/main/java/com/kinde/spring/ReactiveKindeOAuth2ResourceServerAutoConfig.java	Update import/parameter type to Spring Boot’s org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties.
Kinde-Specific Configuration and Branding Updates kinde-springboot-core/src/main/java/com/kinde/spring/config/KindeOAuth2Properties.java, TokenUtil.java, UserUtil.java, KindeOAuth2AutoConfig.java, env/KindeOAuth2PropertiesMappingEnvironmentPostProcessor.java	Remove default audience initializer (now null), expand Javadoc for redirectUri/domain/audience, change Okta property keys/names to Kinde equivalents, update scope-remapper name, and adjust issuer/user-decoration logging/guards to Kinde wording.
Tests and Mocking Adjustments kinde-springboot-core/src/test/java/com/kinde/spring/*	Update tests to match Spring Security 7 Customizer DSL: adjust imports, apply Customizer arguments when mocking DSL, replace monolithic tests with focused init-path and resource-server tests, add RestClient/RestTemplate proxy tests, and strengthen reactive/security filter-chain tests.
TokenUtil Test Expansion kinde-springboot-core/src/test/java/com/kinde/spring/TokenUtilTest.java	Replace single validator test with multiple focused tests covering null/blank/configured audience behavior, absent aud claim handling, and wrong-issuer rejection; add jwt(...) helper.
Playground Examples — API & Debug Endpoints playground/kinde-springboot-starter-example/src/main/java/...	Add an apiSecurityFilterChain for /api/** with JWT resource-server auth, stateless sessions, CSRF disabled, and 401 entry point; add ApiController (/api/me, /api/permissions) and DebugController (/debug/token); update ErrorController import to webmvc.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped through POMs and security trees,

Swapped RestTemplate for a RestClient breeze,
Lambda callbacks now guide the login dance,
Kinde docs and tests got a proper glance,
A merry nibble — the upgrade takes a chance!

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-spring-boot-to-4.0.0

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/TokenUtilTest.java (1)

41-44: 💤 Low value

Consider removing redundant test.

The original testJwtValidator method provides minimal coverage (only verifies no exception is thrown). The new comprehensive test suite (lines 46-103) thoroughly covers JWT validation behavior with multiple scenarios and assertions, making this test redundant.

♻️ Suggested cleanup

-    `@Test`
-    public void testJwtValidator() throws Exception {
-        TokenUtil.jwtValidator("Kinde","test.com");
-    }
-

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/TokenUtilTest.java`
around lines 41 - 44, Remove the redundant no-op test method testJwtValidator in
TokenUtilTest: delete the `@Test` method that simply calls
TokenUtil.jwtValidator("Kinde","test.com") since the newer tests (lines covering
46-103) already exercise JWT validation with assertions; this cleanup keeps the
test suite focused and avoids duplicate/meaningless checks while leaving other
TokenUtil-related tests intact.

kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ConfigurerTest.java (1)

27-36: 💤 Low value

Consider adding negative assertions to strengthen noop verification.

The test verifies that init doesn't throw when no KindeOAuth2Properties beans exist, but it doesn't assert that the configurer actually short-circuits. Adding a verification that OAuth2-related methods on HttpSecurity are NOT called would provide stronger confidence that the noop path is taken.

🔍 Optional enhancement with negative verification

     configurer.init(httpSecurity);
+    
+    // Verify that oauth2Login was never called (confirming short-circuit)
+    verify(httpSecurity, never()).oauth2Login(any());
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ConfigurerTest.java`
around lines 27 - 36, Add negative verifications to the test so it asserts init
actually short-circuits: after calling KindeOAuth2Configurer.init(httpSecurity)
verify that OAuth2-related configuration methods on the mocked HttpSecurity were
not invoked (for example verify(httpSecurity, never()).oauth2Login() and
verify(httpSecurity, never()).oauth2Client() or other OAuth2 entry points used
by KindeOAuth2Configurer). This ensures the noop path is validated in addition
to "no exception" behavior.

kinde-springboot/kinde-springboot-starter/pom.xml (1)

108-121: ⚡ Quick win

Use the Boot 4 starter names here.

Spring Boot 4.0.6 documents spring-boot-starter-oauth2-client and spring-boot-starter-oauth2-resource-server as deprecated in favor of spring-boot-starter-security-oauth2-client and spring-boot-starter-security-oauth2-resource-server. Publishing the old coordinates from this starter pushes deprecated dependencies onto every consumer. (docs.spring.io)

♻️ Proposed fix

     <dependency>
       <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-oauth2-client</artifactId>
+      <artifactId>spring-boot-starter-security-oauth2-client</artifactId>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
-      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+      <artifactId>spring-boot-starter-security-oauth2-resource-server</artifactId>
     </dependency>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kinde-springboot/kinde-springboot-starter/pom.xml` around lines 108 - 121,
Replace the deprecated Spring Boot 4 artifactIds in the POM: change the
dependency artifactId "spring-boot-starter-oauth2-client" to
"spring-boot-starter-security-oauth2-client" and change
"spring-boot-starter-oauth2-resource-server" to
"spring-boot-starter-security-oauth2-resource-server" so consumers of this
starter do not inherit deprecated coordinates; keep the same groupId
(org.springframework.boot) and other dependency elements intact.

kinde-springboot/kinde-springboot-core/pom.xml (1)

72-97: ⚡ Quick win

Remove the per-artifact Jackson pins.

spring-boot-dependencies 4.0.6 already manages jackson-annotations at 2.21 and the rest of this Jackson family at 2.21.2, so restating each artifact here just creates another place for version drift during the next Boot/Jackson bump. (docs.spring.io)

♻️ Proposed simplification

       <dependency>
         <groupId>com.fasterxml.jackson</groupId>
         <artifactId>jackson-bom</artifactId>
         <version>2.21.2</version>
         <type>pom</type>
         <scope>import</scope>
       </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.core</groupId>
-        <artifactId>jackson-core</artifactId>
-        <version>2.21.2</version>
-      </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.core</groupId>
-        <artifactId>jackson-annotations</artifactId>
-        <!-- jackson-annotations dropped the patch number in 2.21. -->
-        <version>2.21</version>
-      </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.core</groupId>
-        <artifactId>jackson-databind</artifactId>
-        <version>2.21.2</version>
-      </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.datatype</groupId>
-        <artifactId>jackson-datatype-joda</artifactId>
-        <version>2.21.2</version>
-      </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.datatype</groupId>
-        <artifactId>jackson-datatype-jsr310</artifactId>
-        <version>2.21.2</version>
-      </dependency>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@kinde-springboot/kinde-springboot-core/pom.xml` around lines 72 - 97, The POM
currently hard-pins Jackson artifacts (jackson-core, jackson-annotations,
jackson-databind, jackson-datatype-joda, jackson-datatype-jsr310) which
duplicates versions already provided by spring-boot-dependencies; remove the
explicit <version> elements for those <dependency> entries (or remove the
dependency entries entirely if they are unused) so the BOM-managed versions are
used instead, keeping the artifactId/groupId entries (e.g., jackson-core,
jackson-annotations, jackson-databind, jackson-datatype-joda,
jackson-datatype-jsr310) to let Spring Boot manage the versions and avoid future
drift.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2Configurer.java`:
- Around line 41-45: The null-checks on issuer and client id are unsafe because
getIssuerUri() and getClientId() can be null; update the condition in
KindeOAuth2Configurer to use null-safe checks (e.g., Spring's
StringUtils.hasText(...) or explicit null + empty checks) for
propertiesProvider.getIssuerUri() and propertiesRegistration.getClientId(), and
keep the existing null checks for propertiesProvider and propertiesRegistration;
ensure you call StringUtils.hasText(propertiesProvider.getIssuerUri()) and
StringUtils.hasText(propertiesRegistration.getClientId()) (or equivalent != null
&& !isEmpty()) instead of .isEmpty() to avoid NPEs.

In
`@kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/TokenUtil.java`:
- Around line 80-85: The validators lambda currently calls
Collections.disjoint(token.getAudience(), expectedAudience) without checking for
null, which can throw when token.getAudience() is null; update the validator
(the lambda added to validators) to first obtain the audience into a local
variable (e.g., List<String> tokenAudience = token.getAudience()) and treat null
as empty (or explicitly return
OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE) when tokenAudience is null
or empty) before calling Collections.disjoint; ensure the final return still
yields OAuth2TokenValidatorResult.success() when there is an intersection and
OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE) otherwise.

In
`@kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/UserUtil.java`:
- Line 54: The check in UserUtil using
userRequest.getClientRegistration().getRegistrationId() is currently
case-sensitive while the OAuth2 path uses a case-insensitive rule; update the
comparison in the UserUtil decorate branch to use a case-insensitive match
(e.g., compare lowercase or use equalsIgnoreCase) against "kinde" so both
decorate paths use the same registration-id matching logic and ensure any other
decoration branch that checks the registrationId follows the same
equalsIgnoreCase approach.

---

Nitpick comments:
In `@kinde-springboot/kinde-springboot-core/pom.xml`:
- Around line 72-97: The POM currently hard-pins Jackson artifacts
(jackson-core, jackson-annotations, jackson-databind, jackson-datatype-joda,
jackson-datatype-jsr310) which duplicates versions already provided by
spring-boot-dependencies; remove the explicit <version> elements for those
<dependency> entries (or remove the dependency entries entirely if they are
unused) so the BOM-managed versions are used instead, keeping the
artifactId/groupId entries (e.g., jackson-core, jackson-annotations,
jackson-databind, jackson-datatype-joda, jackson-datatype-jsr310) to let Spring
Boot manage the versions and avoid future drift.

In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ConfigurerTest.java`:
- Around line 27-36: Add negative verifications to the test so it asserts init
actually short-circuits: after calling KindeOAuth2Configurer.init(httpSecurity)
verify that OAuth2-related configuration methods on the mocked HttpSecurity were
not invoked (for example verify(httpSecurity, never()).oauth2Login() and
verify(httpSecurity, never()).oauth2Client() or other OAuth2 entry points used
by KindeOAuth2Configurer). This ensures the noop path is validated in addition
to "no exception" behavior.

In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/TokenUtilTest.java`:
- Around line 41-44: Remove the redundant no-op test method testJwtValidator in
TokenUtilTest: delete the `@Test` method that simply calls
TokenUtil.jwtValidator("Kinde","test.com") since the newer tests (lines covering
46-103) already exercise JWT validation with assertions; this cleanup keeps the
test suite focused and avoids duplicate/meaningless checks while leaving other
TokenUtil-related tests intact.

In `@kinde-springboot/kinde-springboot-starter/pom.xml`:
- Around line 108-121: Replace the deprecated Spring Boot 4 artifactIds in the
POM: change the dependency artifactId "spring-boot-starter-oauth2-client" to
"spring-boot-starter-security-oauth2-client" and change
"spring-boot-starter-oauth2-resource-server" to
"spring-boot-starter-security-oauth2-resource-server" so consumers of this
starter do not inherit deprecated coordinates; keep the same groupId
(org.springframework.boot) and other dependency elements intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d104ddac-d750-4091-b7c6-d981e34deae4

📥 Commits

Reviewing files that changed from the base of the PR and between 0b3869f and a46c722.

⛔ Files ignored due to path filters (8)

• .gitignore is excluded by none and included by none
• MIGRATION.md is excluded by !**/*.md and included by none
• kinde-report-aggregate/README.md is excluded by !**/README.md, !**/*.md and included by none
• playground/kinde-springboot-pkce-client-example/src/main/resources/application.yaml is excluded by !**/application.yaml and included by **/*.yaml
• playground/kinde-springboot-starter-example/src/main/resources/application.yaml is excluded by !**/application.yaml and included by **/*.yaml
• playground/kinde-springboot-starter-example/src/main/resources/templates/home.html is excluded by none and included by none
• playground/kinde-springboot-thymeleaf-full-example/.env is excluded by none and included by none
• playground/kinde-springboot-thymeleaf-full-example/src/main/resources/application.properties is excluded by !**/application.properties and included by none

📒 Files selected for processing (29)

• kinde-springboot/kinde-springboot-core/pom.xml
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/Kinde.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2AutoConfig.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2Configurer.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfig.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/ReactiveKindeOAuth2AutoConfig.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/ReactiveKindeOAuth2ResourceServerAutoConfig.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/ReactiveKindeOAuth2ResourceServerHttpServerAutoConfig.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/ReactiveKindeOAuth2ServerHttpServerAutoConfig.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/TokenUtil.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/UserUtil.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/config/KindeOAuth2Properties.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/env/KindeOAuth2PropertiesMappingEnvironmentPostProcessor.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2AutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ConfigurerTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2ResourceServerAutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/TokenUtilTest.java
• kinde-springboot/kinde-springboot-starter/pom.xml
• playground/kinde-springboot-pkce-client-example/pom.xml
• playground/kinde-springboot-starter-example/pom.xml
• playground/kinde-springboot-starter-example/src/main/java/com/kinde/spring/KindeClientApplication.java
• playground/kinde-springboot-starter-example/src/main/java/com/kinde/spring/config/SecurityConfig.java
• playground/kinde-springboot-starter-example/src/main/java/com/kinde/spring/controllers/ApiController.java
• playground/kinde-springboot-starter-example/src/main/java/com/kinde/spring/controllers/DebugController.java
• playground/kinde-springboot-thymeleaf-full-example/pom.xml
• playground/kinde-springboot-thymeleaf-full-example/src/main/java/com/kinde/oauth/config/KindeErrorController.java
• src/main/java/com/example/demo/controller/MainController.java

💤 Files with no reviewable changes (2)

• playground/kinde-springboot-starter-example/src/main/java/com/kinde/spring/KindeClientApplication.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2AutoConfigTest.java

[codecov]

Codecov Report

❌ Patch coverage is 85.60606% with 19 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...inde/session/KindeClientKindeTokenSessionImpl.java	0.00%	8 Missing ⚠️
...n/java/com/kinde/spring/KindeOAuth2Configurer.java	88.13%	6 Missing and 1 partial ⚠️
...de/spring/KindeOAuth2ResourceServerAutoConfig.java	86.66%	0 Missing and 4 partials ⚠️

📢 Thoughts on this report? Let us know!

[KomanRudden]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[dtoxvanilla1991]

@copilot fix snyk secyrity CI test failure root cause if possible

[Copilot]

@copilot fix snyk secyrity CI test failure root cause if possible

Investigated this on 8b4e4f4. GitHub Actions for the PR are green and there isn’t a failing Snyk job/check attached to the PR. The only Snyk-related issue I could trace was the earlier actuator finding already covered by 61ae880 when main was merged; this branch resolves spring-boot-starter-actuator to 4.0.6, which supersedes the old 3.5.14 Snyk fix path. I also spot-checked the upgraded Spring Boot/Spring Security coordinates against GitHub Advisory DB / public Snyk data and didn’t find an additional vulnerability to fix in-code here.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• burntjam.kinde.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jacoco/org.jacoco.agent/0.8.14/org.jacoco.agent-0.8.14-runtime.jar=destfile=/home/REDACTED/work/kinde-java-sdk/kinde-java-sdk/kinde-core/target/jacoco.exec,includes=com/kinde/**,excludes=com/google/inject/**/*.clas (dns block)
• your-domain.kinde.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -javaagent:/home/REDACTED/.m2/repository/org/jacoco/org.jacoco.agent/0.8.14/org.jacoco.agent-0.8.14-runtime.jar=destfile=/home/REDACTED/work/kinde-java-sdk/kinde-java-sdk/kinde-core/target/jacoco.exec,includes=com/kinde/**,excludes=com/google/inject/**/*.clas (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java (2)

35-35: ⚡ Quick win

Remove debug stdout from test bean setup.

System.out.println in test configuration adds CI log noise without test value.

Suggested cleanup

         public KindeOAuth2ResourceServerAutoConfig kindeOAuth2ResourceServerAutoConfig() {
-            System.out.println("Hello 3");
             KindeOAuth2ResourceServerAutoConfig kindeOAuth2ResourceServerAutoConfig = new KindeOAuth2ResourceServerAutoConfig();
             return kindeOAuth2ResourceServerAutoConfig;
         }

As per coding guidelines, "Please focus on: 1. Code quality and best practices".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java`
at line 35, Remove the debugging stdout call from the test setup by deleting the
System.out.println("Hello 3") statement found in
KindeOAuth2ResourceServerAutoConfigTest; ensure no other leftover
System.out/print calls remain in the test configuration or bean setup so CI logs
are clean and tests rely only on assertions and logs via the test framework.

---

66-133: ⚡ Quick win

Proxy-branch tests are too weak to catch wiring regressions.

All new branch tests only check non-null instances, which will still pass if proxy host/port/credentials are ignored. Please assert observable proxy behavior per branch (e.g., configured proxy/auth on the resulting client objects).

As per coding guidelines, "Please focus on: 4. Test coverage and quality".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java`
around lines 66 - 133, The tests only assert non-null clients but not that proxy
settings were applied; update the test methods that call
KindeOAuth2ResourceServerAutoConfig.restClient(...) and .restTemplate(...) to
verify observable proxy behavior: for RestClient, assert its underlying HTTP
transport/config exposes the proxy host/port and (when provided) credentials
(inspect the RestClient's HttpClient/connection manager or its proxy
selector/Authenticator) and for RestTemplate, unwrap the
ClientHttpRequestFactory (or underlying
HttpComponentsClientHttpRequestFactory/HttpClient) and assert the
Proxy/RoutePlanner and CredentialsProvider contain the expected proxy host, port
and username/password derived from KindeOAuth2Properties.Proxy; keep existing
test branches (no proxy, host+port, authenticated) but replace the simple
assertNotNull checks with assertions against those extracted configuration
objects to ensure wiring is correct.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2AutoConfigTest.java`:
- Around line 118-126: The test currently stubs resourceServerSpec.jwt(...) to
short-circuit so the inner JWT Customizer is never executed; change the jwt(...)
stub to a Mockito Answer that captures the Customizer argument, create a mocked
Jwt spec (e.g., jwtSpec), call customizer.customize(jwtSpec) and then return
resourceServerSpec so the inner lambda runs; update the same pattern for the
other resourceServerSpec.jwt(...) occurrence (the block referenced also at the
later similar stub) and then assert/verify the expected interactions on the
mocked jwtSpec.

---

Nitpick comments:
In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java`:
- Line 35: Remove the debugging stdout call from the test setup by deleting the
System.out.println("Hello 3") statement found in
KindeOAuth2ResourceServerAutoConfigTest; ensure no other leftover
System.out/print calls remain in the test configuration or bean setup so CI logs
are clean and tests rely only on assertions and logs via the test framework.
- Around line 66-133: The tests only assert non-null clients but not that proxy
settings were applied; update the test methods that call
KindeOAuth2ResourceServerAutoConfig.restClient(...) and .restTemplate(...) to
verify observable proxy behavior: for RestClient, assert its underlying HTTP
transport/config exposes the proxy host/port and (when provided) credentials
(inspect the RestClient's HttpClient/connection manager or its proxy
selector/Authenticator) and for RestTemplate, unwrap the
ClientHttpRequestFactory (or underlying
HttpComponentsClientHttpRequestFactory/HttpClient) and assert the
Proxy/RoutePlanner and CredentialsProvider contain the expected proxy host, port
and username/password derived from KindeOAuth2Properties.Proxy; keep existing
test branches (no proxy, host+port, authenticated) but replace the simple
assertNotNull checks with assertions against those extracted configuration
objects to ensure wiring is correct.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6939deab-d418-4a23-8c78-42eff6bca378

📥 Commits

Reviewing files that changed from the base of the PR and between 46c7f0d and 36df443.

📒 Files selected for processing (6)

• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2AutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ConfigurerTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2AutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2ResourceServerHttpServerAutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2ServerHttpServerAutoConfigTest.java

[dtoxvanilla1991]

Good work! Left 4!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java`:
- Around line 193-209: The test currently asserts that proxy credentials are
emitted using HttpHeaders.AUTHORIZATION via the helper method
assertBasicAuthInterceptorEmits and BasicAuthenticationInterceptor; change the
test to assert the header HttpHeaders.PROXY_AUTHORIZATION instead (build the
expected "Basic ..." value the same way and check
outgoing.getHeaders().getFirst(HttpHeaders.PROXY_AUTHORIZATION)). Also update
the production code that installs the interceptor (references to
KindeOAuth2ResourceServerAutoConfig where BasicAuthenticationInterceptor or
Authorization header are set) to set the Proxy-Authorization header for proxy
credentials instead of using the origin-server Authorization header or a general
BasicAuthenticationInterceptor for proxy auth.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8c1a7981-57ed-415a-aa0e-71f49e353a8e

📥 Commits

Reviewing files that changed from the base of the PR and between 36df443 and dcaa2a6.

⛔ Files ignored due to path filters (14)

• .gitignore is excluded by none and included by none
• kinde-core/.env is excluded by none and included by none
• kinde-core/.env.example is excluded by none and included by none
• kinde-j2ee/.env is excluded by none and included by none
• kinde-j2ee/.env.example is excluded by none and included by none
• kinde-management/.env is excluded by none and included by none
• kinde-management/.env.example is excluded by none and included by none
• playground/kinde-core-example/.env is excluded by none and included by none
• playground/kinde-core-example/.env.example is excluded by none and included by none
• playground/kinde-management-example/.env is excluded by none and included by none
• playground/kinde-management-example/.env.example is excluded by none and included by none
• playground/kinde-springboot-thymeleaf-full-example/.env is excluded by none and included by none
• playground/kinde-springboot-thymeleaf-full-example/.env.example is excluded by none and included by none
• playground/kinde-springboot-thymeleaf-full-example/README.md is excluded by !**/README.md, !**/*.md and included by none

📒 Files selected for processing (22)

• kinde-core/pom.xml
• kinde-core/src/test/java/com/kinde/session/KindeClientCodeSessionImplTest.java
• kinde-core/src/test/java/com/kinde/token/IDTokenTest.java
• kinde-j2ee/pom.xml
• kinde-management/pom.xml
• kinde-report-aggregate/pom.xml
• kinde-springboot/kinde-springboot-core/pom.xml
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ConfigurerTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2AutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/ReactiveKindeOAuth2ResourceServerAutoConfigTest.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/WebClientUtilTest.java
• kinde-springboot/kinde-springboot-starter/pom.xml
• kinde-springboot/pom.xml
• playground/kinde-accounts-example/pom.xml
• playground/kinde-core-example/pom.xml
• playground/kinde-j2ee-app/pom.xml
• playground/kinde-management-example/pom.xml
• playground/kinde-springboot-pkce-client-example/pom.xml
• playground/kinde-springboot-starter-example/pom.xml
• playground/kinde-springboot-thymeleaf-full-example/pom.xml
• pom.xml

💤 Files with no reviewable changes (10)

• playground/kinde-j2ee-app/pom.xml
• kinde-report-aggregate/pom.xml
• playground/kinde-accounts-example/pom.xml
• kinde-j2ee/pom.xml
• kinde-core/src/test/java/com/kinde/session/KindeClientCodeSessionImplTest.java
• kinde-core/src/test/java/com/kinde/token/IDTokenTest.java
• playground/kinde-management-example/pom.xml
• playground/kinde-springboot-starter-example/pom.xml
• playground/kinde-core-example/pom.xml
• kinde-springboot/kinde-springboot-core/pom.xml

✅ Files skipped from review due to trivial changes (2)

• kinde-management/pom.xml
• kinde-springboot/pom.xml

[dtoxvanilla1991]

Address CI failures and should be solid.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfig.java`:
- Around line 66-77: The proxy-related code in
KindeOAuth2ResourceServerAutoConfig assumes proxyProperties.getHost(),
getUsername(), and getPassword() are non-null before calling trim(), which can
NPE; update the proxy setup to null-check these fields (or use a null-safe
helper like StringUtils.hasText) before calling trim()/isEmpty(), e.g., ensure
host is non-null && !host.trim().isEmpty() before constructing the Proxy and
ensure username/password are null-checked (or empty-checked via a null-safe
utility) before creating ProxyBasicAuthenticationInterceptor; apply the same
null-safe checks to the other proxy handling block mentioned (lines ~101-112) so
all calls to getHost/getUsername/getPassword are guarded.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 84edd18b-44b6-4d93-bce8-4939d1a4726f

📥 Commits

Reviewing files that changed from the base of the PR and between dcaa2a6 and 5f3c382.

⛔ Files ignored due to path filters (4)

• playground/kinde-springboot-thymeleaf-full-example/README.md is excluded by !**/README.md, !**/*.md and included by none
• playground/kinde-springboot-thymeleaf-full-example/src/main/resources/application.properties is excluded by !**/application.properties and included by none
• playground/kinde-springboot-thymeleaf-full-example/src/main/resources/static/css/index.css is excluded by none and included by none
• playground/kinde-springboot-thymeleaf-full-example/src/main/resources/templates/dashboard.html is excluded by none and included by none

📒 Files selected for processing (6)

• kinde-core/src/main/java/com/kinde/session/KindeClientKindeTokenSessionImpl.java
• kinde-springboot/kinde-springboot-core/src/main/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfig.java
• kinde-springboot/kinde-springboot-core/src/test/java/com/kinde/spring/KindeOAuth2ResourceServerAutoConfigTest.java
• playground/kinde-springboot-thymeleaf-full-example/src/main/java/com/kinde/oauth/config/SecurityConfig.java
• playground/kinde-springboot-thymeleaf-full-example/src/main/java/com/kinde/oauth/controller/KindeController.java
• playground/kinde-springboot-thymeleaf-full-example/src/main/java/com/kinde/oauth/service/KindeService.java

💤 Files with no reviewable changes (2)

• playground/kinde-springboot-thymeleaf-full-example/src/main/java/com/kinde/oauth/service/KindeService.java
• playground/kinde-springboot-thymeleaf-full-example/src/main/java/com/kinde/oauth/controller/KindeController.java

[dtoxvanilla1991]

Reviewed. The PR delivers a correct, well-tested Spring Boot 4 / Spring Security 7 migration. The proxy authentication implementation is particularly well-executed: ProxyBasicAuthenticationInterceptor correctly targets Proxy-Authorization, the null-credential path is guarded with StringUtils.hasText(), and the test suite pins both the positive and the confidentiality-leak side of the assertion. Safe to merge. Needs Snyk CI resolution.