Add OAuth2 feature for Config Clients

[cobar79]

• When OAuth2 token property present, call IDP for Bearer Token.
• Add Bearer Token header on config server resource requests.
• Replace deprecated Base64Utils

[spencergibb]

Can we use the boot-managed version?

[cobar79]

@spencergibb
I attempted "boot managed" JCE but had problems with cipher in the client properties. There is so little information on JCE in a Spring Boot project and tons of examples for JASYPT that I went with the common encryption that was easier to set up and manage.

I can revisit it if I can get better documentation of getting it working the the config client.

client-secret: '{cipher}e4b1f56fb017319eb959595343d0e4f5a742e975860b723433f90e8f3e869a379db7c756e0537273aebf72cc3a4c3d48caf4955889c5e22be588523b0a88b5c8'

    Property: spring.cloud.config.client-secret
    Value: "{cipher}e4b1f56fb017319eb959595343d0e4f5a742e975860b723433f90e8f3e869a379db7c756e0537273aebf72cc3a4c3d48caf4955889c5e22be588523b0a88b5c8"
    Origin: URL [file:config/application-local.yml] - 73:22
    Reason: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?

[spencergibb]

what does that have to do with okhttp?

[cobar79]

Mock server for IDP testing. See ConfigClientRequestTemplateFactoryTest

[spencergibb]

Ok, then back to my original comment, why can't the boot managed version of ok http be used?

[spencergibb]

Sorry, looking back I didn't specify okhttp as the one to boot manage.

[cobar79]

Now that I am on the same page, I take "boot managed version of ok http" to be the org.springframework.test.web.client.MockRestServiceServer?

Since I have never used it, I may need help getting it to work. My first attempt failed with it timing out and not responding. My guess is because it has to be bound to the same RestTemplate making the call?
If so, that is going to be the chicken and the egg dilemma since I am testing the Factory method that creates the Template.

mockRestServiceServer = MockRestServiceServer.bindTo(new RestTemplate()).build();
mockRestServiceServer.expect(requestTo(new URI(properties.getTokenUri())))
	.andExpect(method(HttpMethod.POST))
	.andExpect(content().contentType(MediaType.APPLICATION_FORM_URLENCODED))
	.andRespond(withStatus(HttpStatus.OK)
		.contentType(MediaType.APPLICATION_JSON)
		.body(TOKEN_RESPONSE));

[spencergibb]

Nope https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.2.0/spring-boot-dependencies-3.2.0.pom

<okhttp.version>4.12.0</okhttp.version>

You should just be able to remove the version property and the version tag.

[cobar79]

Done. Did not know it was included. Will have to update all my microservices.

[spencergibb]

It didn't used to be, it was added at some point. We had the same thing in spring cloud

[ryanjbaxter]

Might be cleaner to place these properties in a subclass called oauth2 so we would use spring.cloud.config.oauth2.*

[cobar79]

Done. See ConfigClientOauth2Properties

[ryanjbaxter]

This should probably be some kind of bean that the user can override

[cobar79]

Done. I embedded it into the ConfigClientProperties. It got real messy trying to pass it into the pass additional configurations into the ConfigClientRequestTemplateFactory constructor.

[ryanjbaxter]

What happens if this token expires?

[cobar79]

In general, the Spring Security Framework handles refreshing of the token. I am still trying to set up a test for the actuator monitor endpoint to see if the security framework will append the token to the config server request to pull new updates. In theory it should work since the Spring Context is fully boot strapped.

[ryanjbaxter]

OK please let us know when you have tested that

[cobar79]

Sorry for the redaction. I was looking at postman response and failed to review the client logs.

09:40:07.119 [http-nio-9440-exec-8] WARN  o.s.c.c.c.ConfigServerConfigDataLoader - Could not locate PropertySource ([ConfigServerConfigDataResource@6cca236b uris = array<String>['http://localhost:8888/config-server'], optional = true, profiles = 'local']): 401 : "{"path":"/config-server/gdelt-ingest/local","message":"An error occurred while attempting to decode the Jwt: Jwt expired at 2023-12-19T15:50:42Z","propertyPath":null,"propertyValue":null,"timestamp":"2023-12-19 09:40:07.086-07"}"

[cobar79]

@ryanjbaxter @spencergibb
Is it ok to bring in a JWT Decoder to check expiration?

		<dependency>
			<groupId>com.auth0</groupId>
			<artifactId>java-jwt</artifactId>
			<version>4.4.0</version>
		</dependency>

[ryanjbaxter]

OK please let us know when you have tested that

[ryanjbaxter]

We will also need to add some documentation for this

[cobar79]

@ryanjbaxter Can you point me to the repo that contains the Spring Cloud Config that I will need to update?

[spencergibb]

Docs live here https://github.com/spring-cloud/spring-cloud-config/tree/main/docs/modules/ROOT/pages

[cobar79]

Docs live here https://github.com/spring-cloud/spring-cloud-config/tree/main/docs/modules/ROOT/pages

Nervous that I didn't fork correctly. I am in the 4.0.5-SNAPSHOT and I do not see the modules directory under the docs module?
I only see src/main/asciidoc folder?

Also curious how this will go since I see a 4.1.0 release of spring-cloud-starter-config on Dec 6th in Maven Central?

[ryanjbaxter]

Yes this will actually have to go in a feature release, most likely 4.2.x. That said its best to use main.

[cobar79]

Thanks @ryanjbaxter
Sorry, I am very new to the forking to another repo and merging back.

Can I sync the current fork in my repo or do I need to:

• Close this PR
• Delete the fork in my repo
• Create a new fork into my repo from main which shows 4.1.1-SNAPSHOT.
• Create the feature branch off main in my repo.
• Move code to new fork.
• Then cut new PR back into main on this repo.

[ryanjbaxter]

Yes I think so

[cobar79]

Moving to version 4.1