Spring security: Allow .well-known/openid-configuration

Here my security configuration into my spring-boot-starter-oauth2-authorization-server service:

@EnableWebSecurity
@Configuration
public class SecurityConfiguration {

  @Bean
  SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    return http
        .csrf(csrfCustomizer -> csrfCustomizer.disable())
        .authorizeHttpRequests(
            authorize -> authorize
                .requestMatchers(
                    EndpointRequest.to(InfoEndpoint.class, HealthEndpoint.class, EnvironmentEndpoint.class,
                        ConfigurationPropertiesReportEndpoint.class))
                .permitAll().anyRequest().authenticated())
        .formLogin(cr -> cr.disable())
        .build();

  }
}

When I’m trying to GET _/.well-known/openid-configuration, I’m getting:

❯ http http://des.oauthz.espaidoc-keycloak.apps.ocpdes.t-systems.es/.well-known/openid-configuration
HTTP/1.1 403
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 0
date: Fri, 17 Nov 2023 11:48:16 GMT
expires: 0
pragma: no-cache
set-cookie: JSESSIONID=B8C183A7F9A2CC582B88B1D15C203D08; Path=/; HttpOnly
set-cookie: 324dc6a705237c000a7da99ab87ee12a=3af96fc0f36107d20bb560a118c624e0; path=/; HttpOnly
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 0

you need add authorization server configutation as below

   @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(withDefaults());
        return http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(withDefaults()))
                .exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))).build();
    }

Leave a Comment