it-at-m · simonhir · Sep 19, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 19, 2024
@@ -6,6 +6,20 @@ spring:
     port: 1025
     username: [email protected]
     password: secret
+  security:
+    oauth2:
+      client:
+        provider:
+          sso:
+            issuer-uri: http://keycloak:8100/auth/realms/local_realm
+            user-info-uri: ${spring.security.oauth2.client.provider.sso.issuer-uri}/protocol/openid-connect/userinfo
+            jwk-set-uri: ${spring.security.oauth2.client.provider.sso.issuer-uri}/protocol/openid-connect/certs
+        registration:
+          s3:
+            provider: sso
+            authorization-grant-type: client_credentials
+            client-id: local
+            client-secret: client_secret
 refarch:
   mail:
     from-address: [email protected]
@@ -14,6 +28,3 @@ refarch:
     client:
       document-storage-url: http://localhost:8086
       enable-security: true
-SSO_ISSUER_URL: http://keycloak:8100/auth/realms/local_realm
-SSO_S3_CLIENT_ID: local
-SSO_S3_CLIENT_SECRET: client_secret
@@ -47,7 +47,22 @@ Whether a property is an alias can be checked in the corresponding `application.
 | `refarch.s3.bucket-name` | Name of the bucket to connect to.                              | `refarch-bucket`                              |
 | `refarch.s3.access-key`  | Access key to use for connection.                              |                                               |
 | `refarch.s3.secret-key`  | Secret key to use for connection.                              |                                               |
-| `SSO_ISSUER_URL`         | Issuer url of oAuth2 service used for securing rest endpoints. | `https://sso.example.com/auth/realms/refarch` |
+
+For authenticating the different endpoints oAuth2 authentication needs to be configured.
+See below example or the [according Spring documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-resource-server).
+
+```yml
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: https://sso.example.com/auth/realms/refarch
+security:
+  oauth2:
+    resource:
+      user-info-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}/protocol/openid-connect/userinfo
+```
 
 ### s3-integration-java-client-starter
 
@@ -65,6 +80,31 @@ All properties of [s3-integration-java-client-starter](#s3-integration-rest-clie
 |------------------------------------------|----------------------------------------------------------------------------|-----------------------------------------------|
 | `refarch.s3.client.document-storage-url` | Url to the RefArch S3 integration service.                                 | `http://s3-integration-service:8080`          |
 | `refarch.s3.client.enable-security`      | Switch to enable or disable oAuth2 authentication against s3 service.      | `true`                                        |
-| `SSO_ISSUER_URL`                         | Issuer url of oAuth2 service to use for authentication against s3 service. | `https://sso.example.com/auth/realms/refarch` |
-| `SSO_S3_CLIENT_ID`                       | Client id to be used for authentication.                                   | `refarch_client`                              |
-| `SSO_S3_CLIENT_SECRET`                   | Client secret to be used for gathering client service account token.       |                                               |
+
+For authentication against the s3-service a OAuth2 registration with the name `s3` needs to be provided.
+See following example or the [according Spring documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client).
+
+```yml
+spring:
+  security:
+    oauth2:
+      client:
+        provider:
+          sso:
+            issuer-uri: https://sso.example.com/auth/realms/refarch
+            user-info-uri: ${spring.security.oauth2.client.provider.sso.issuer-uri}/protocol/openid-connect/userinfo
+            jwk-set-uri: ${spring.security.oauth2.client.provider.sso.issuer-uri}/protocol/openid-connect/certs
+            # used for RequestResponseLoggingFilter in s3-rest-service
+            # only required if filter is explicitly enabled
+            user-name-attribute: user_name
+        registration:
+          s3:
+            provider: sso
+            authorization-grant-type: client_credentials
+            client-id: refarch_client
+            client-secret: client_secret_123
+            # profile required for username used in s3-rest-service RequestResponseLoggingFilter
+            # openid required for user info endpoint used in s3-rest-service JwtUserInfoAuthenticationConverter
+            # both scopes are only required if the according functions are explicitly used
+            scope: profile, openid
+```
@@ -4,7 +4,6 @@
 import de.muenchen.refarch.integration.s3.client.api.FileApiApi;
 import de.muenchen.refarch.integration.s3.client.api.FolderApiApi;
 import de.muenchen.refarch.integration.s3.client.domain.model.SupportedFileExtensions;
-import de.muenchen.refarch.integration.s3.client.factory.YamlPropertySourceFactory;
 import de.muenchen.refarch.integration.s3.client.properties.S3IntegrationClientProperties;
 import de.muenchen.refarch.integration.s3.client.repository.DocumentStorageFileRepository;
 import de.muenchen.refarch.integration.s3.client.repository.DocumentStorageFileRestRepository;
@@ -40,7 +39,6 @@
 )
 @RequiredArgsConstructor
 @EnableConfigurationProperties(S3IntegrationClientProperties.class)
-@PropertySource(value = "classpath:application-s3-client.yml", factory = YamlPropertySourceFactory.class)
 @Slf4j
 public class S3IntegrationClientAutoConfiguration {
 

@@ -1,4 +1,13 @@
-SSO_ISSUER_URL: http://keycloak:8100/auth/realms/local_realm
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: http://keycloak:8100/auth/realms/local_realm
+security:
+  oauth2:
+    resource:
+      user-info-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}/protocol/openid-connect/userinfo
 refarch:
   s3:
     bucket-name: test-bucket

@@ -6,11 +6,6 @@ info:
 spring:
   application:
     name: ${info.application.name}
-  security:
-    oauth2:
-      resourceserver:
-        jwt:
-          issuer-uri: ${SSO_ISSUER_URL}
 
 server:
   error:
@@ -33,14 +28,3 @@ management:
     health.enabled: true
     info.enabled: true
     prometheus.enabled: true
-
-security:
-  oauth2:
-    resource.user-info-uri: ${SSO_ISSUER_URL}/protocol/openid-connect/userinfo
-
-refarch:
-  s3:
-    bucket-name: ${S3_BUCKETNAME}
-    access-key: ${S3_ACCESSKEY}
-    url: ${S3_URL:http://localhost:9000}
-    secret-key: ${S3_SECRETKEY}