Here my security configuration into my spring-boot-starter-oauth2-authorization-server service:
@EnableWebSecurity
@Configuration
public class SecurityConfiguration {
@Bean
SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(csrfCustomizer -> csrfCustomizer.disable())
.authorizeHttpRequests(
authorize -> authorize
.requestMatchers(
EndpointRequest.to(InfoEndpoint.class, HealthEndpoint.class, EnvironmentEndpoint.class,
ConfigurationPropertiesReportEndpoint.class))
.permitAll().anyRequest().authenticated())
.formLogin(cr -> cr.disable())
.build();
}
}
When I’m trying to GET _/.well-known/openid-configuration, I’m getting:
❯ http http://des.oauthz.espaidoc-keycloak.apps.ocpdes.t-systems.es/.well-known/openid-configuration
HTTP/1.1 403
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-length: 0
date: Fri, 17 Nov 2023 11:48:16 GMT
expires: 0
pragma: no-cache
set-cookie: JSESSIONID=B8C183A7F9A2CC582B88B1D15C203D08; Path=/; HttpOnly
set-cookie: 324dc6a705237c000a7da99ab87ee12a=3af96fc0f36107d20bb560a118c624e0; path=/; HttpOnly
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 0
you need add authorization server configutation as below
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(withDefaults());
return http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(withDefaults()))
.exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))).build();
}