Description
Given the following configuration:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(Customizer.withDefaults()) // Enable OpenID Connect 1.0
)
.authorizeHttpRequests((authorize) ->
authorize
.anyRequest().authenticated()
)
.exceptionHandling((exceptions) -> exceptions
.defaultAuthenticationEntryPointFor(
new LoginUrlAuthenticationEntryPoint("/login"),
new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
)
)
.oauth2ResourceServer(resourceServer ->
resourceServer
.authenticationManagerResolver((context) -> customAuthenticationManager)
);
return http.build();
}The application context will fail to build with the error message:
Caused by: java.lang.IllegalStateException: If an authenticationManagerResolver() is configured, then it takes precedence over any jwt() or opaqueToken() configuration.
The reason is because OAuth2AuthorizationServerConfigurer will default to resourceServer.jwt() if the OIDC UserInfo endpoint or OIDC Client Registration endpoint is enabled. However, if an application configures a client to use opaque tokens for an OpenID Connect flow, then configuring the authenticationManagerResolver() should be possible if support for both JWT and Opaque access tokens is required. As of now, it's not possible since resourceServer.jwt() was previously configured as the default by OAuth2AuthorizationServerConfigurer.
A similar error condition occurs with the following configuration:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(Customizer.withDefaults()) // Enable OpenID Connect 1.0
)
.authorizeHttpRequests((authorize) ->
authorize
.anyRequest().authenticated()
)
.exceptionHandling((exceptions) -> exceptions
.defaultAuthenticationEntryPointFor(
new LoginUrlAuthenticationEntryPoint("/login"),
new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
)
)
.oauth2ResourceServer(resourceServer ->
resourceServer
.opaqueToken(Customizer.withDefaults())
);
return http.build();
}The error message is:
Caused by: java.lang.IllegalStateException: Spring Security only supports JWTs or Opaque Tokens, not both at the same time.
The application is not able to override the default resourceServer.jwt() configured by OAuth2AuthorizationServerConfigurer to configure support for resourceServer.opaqueToken() instead.