feat(OAuth2): Remove deprecated OAuth2 annotation. Instead Use Java DSL way of OAuth2

[rahul-chekuri]

Oauth configuration properties are changed for new java way of dsl.

Old Config Properties:

security:
  authn:
    oauth2:
      enabled: true
      client:
        clientId: <client-id>
        clientSecret: <client-secret>
        accessTokenUri: https://www.googleapis.com/oauth2/v4/token
        userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
        scope: profile email
      userInfoRequirements:
        hd: <domain>
      resource:
        userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
      userInfoMapping:
        email: email
        firstName: given_name
        lastName: family_name
      provider: GOOGLE

New Config Properties:

Google:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: <client-id>
            client-secret: <client-secret>
            authorization-grant-type: authorization_code
            redirect-uri: "https://<your-domain>/login/oauth2/code/google"
            scope: profile,email,openid
            client-name: google
        provider:
          google:
            authorization-uri: https://accounts.google.com/o/oauth2/auth
            token-uri: https://oauth2.googleapis.com/token
            user-info-uri: https://www.googleapis.com/oauth2/v3/userinfo
            user-name-attribute: sub

Github:

spring:
  security:
    oauth2:
      client:
        registration:
          userInfoMapping:
            email: email
            firstName: ''
            lastName: name
            username: login
          github:
            client-id: <client-id>
            client-secret: <client-secret>
            authorization-grant-type: authorization_code
            redirect-uri: "https://<your-domain>/login/oauth2/code/github"
            scope: user,email
            client-name: github
        provider:
          github:
            authorization-uri: https://github.com/login/oauth/authorize
            token-uri: https://github.com/login/oauth/access_token
            user-info-uri: https://api.github.com/user
            user-name-attribute: login

[dbyron-sf]

Looks like there are some config property changes here, so I'd say this is a feature, not a refactor. Please also describe old and new params in the commit message + PR description.

[rahul-chekuri]

Looks like there are some config property changes here, so I'd say this is a feature, not a refactor. Please also describe old and new params in the commit message + PR description.

@dbyron-sf updated the description and commit message with config properties. Please take a look :)

[dzhengg]

Does this get used anywhere?

[rahul-chekuri]

3e64fb6

removed here

[dzhengg]

Could you explain this section a bit? How does the presence of these two values allow authentication?

[rahul-chekuri]

In Spring Security 5, the above properties provided and bean configuration defined in OAuth2SsoConfig.java will configure OAuth2 authentication by defining a OAuth2 client(in this case its github as the client name is github) for login. Here’s how they work:

OAuth2 Client Configuration:
The spring.security.oauth2.client.registration.github.client-id and spring.security.oauth2.client.registration.github.client-secret properties register a GitHub OAuth2 client in Spring Boot. This allows users to authenticate using their GitHub credentials.

Spring Boot Auto-Configuration:
Spring Boot automatically detects these properties and configures an OAuth2LoginConfigurer under the hood. This enables OAuth2 login.

Security Filter Chain Integration:
Spring Security 5 automatically adds the necessary filters (OAuth2LoginAuthenticationFilter) to handle the OAuth2 authentication process.

[dzhengg]

I guess what I really meant is: previously the test worked with these fields:

1. security.oauth2.client.clientId
2. security.oauth2.resource.userInfoUri
   I'd assume that after changing to the new configuration properties, we'd include these fields to remain consistent:
3. spring.security.oauth2.client.registration.github.client-id
4. spring.security.oauth2.client.provider.github.user-info-uri
   But actually, we removed the userInfoUri field and added the client-secret field which wasn't there before. So what is this test actually doing behind the scenes? And what properties (if any) are actually used by this test?

[rahul-chekuri]

userInfoUri doesn't play any special role in the tests, but it was put in the old config to avoid bean creation issues like the ones below:

Caused by: org.springframework.validation.BindException: org.springframework.validation.BeanPropertyBindingResult: 1 errors
Field error in object 'resourceServerProperties' on field 'tokenInfoUri': rejected value [null]; codes [missing.tokenInfoUri.resourceServerProperties.tokenInfoUri,missing.tokenInfoUri.tokenInfoUri,missing.tokenInfoUri.java.lang.String,missing.tokenInfoUri]; arguments []; default message [Missing tokenInfoUri and userInfoUri and there is no JWT verifier key]
	at app//org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties.doValidate(ResourceServerProperties.java:230)
	at app//org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties.validate(ResourceServerProperties.java:198)

We don't need to pass the userInfoUri for tests with the new OAuth config.

[dbyron-sf]

WebSecurityConfigurerAdapter is deprecated. Are there plans to move to something that's not?

[rahul-chekuri]

We plan to delete the Adapter from the gate as part of the springboot3 upgrade.