The "bff" springboot application needs to reach ".well-known/openid-configuration" when starting, what if it can't?

[rgambelli]

Hi all,

I'm using springaddons to implement the backend-for-frontend scenario, the bff springboot, as oauth2 client application, when starting needs to reach the url ".well-known/openid-configuration" of the authorization server, I'm using keycloak.

I've seen that if keycloak-server is down my bff-server is unable to start, I have a difference from the tutorial, I have this class, without it the redirect uri coming from keycloak is without the schema (...&redirect_uri=/login/oauth2/code/default...), hostname and port parts, so it doesn't work, how does the tutorial work without this class and how can I be able to start bff even if in a the starting phase keycloak server is not available?

@Configuration
public class SecurityConfiguration {

    @Bean
    public ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(ReactiveClientRegistrationRepository clientRegistrationRepository,
            SpringAddonsOidcProperties addonsProperties) {
        return new DefaultServerOAuth2AuthorizationRequestResolver(clientRegistrationRepository);
    }

    @Bean
    @LoadBalanced
    public WebClient.Builder webClient() {
        return WebClient.builder();
    }
}

Thanks

[ch4mpy]

You can not run an OAuth2 system if other actors (clients and resource servers) can't reach the authorization server.

Other actors use the OpenID configuration to auto-configure themself with:

• JWK-set (or userinfo if the server is not OpenID), authorization, token and end-session endpoints for client
• JWK-set endpoint (or introspection endpoint if the server does not emit JWTs) for the resource server

You may configure all of these endpoints yourself instead of relying on OIDC auto-configuration, but at some point, the client will need to access the authorization server and it will also need to redirect users to it (with proper scheme, host and port).

So just make your authorization server highly available (this is the most critical part in your system) and configure the authorization-server URIs properly on your clients and resource servers (either the authorization server itself or a proxy in front of it, but with scheme, host and port).

[veganchamp]

Adding to this, from our company's perspective some of our apps do have both secured and unsecured journeys and we didn't want the availability of an auth server to dictate whether the app starts-up, such that if its not available we lose the revenue for all journeys.

We control this by not supplying the issuer-uri, and configuring the endpoints found in the .well-known/openid-configuration:
Remove, the below, this is what calls the auth server (my-provider) on start-up:

spring.security.oauth2.client.provider.my-provider.issuer-uri=https://my-provider

Replace with:

spring.security.oauth2.client.provider.my-provider.authorization-uri=https://my-provider/services/oauth2/authorize
spring.security.oauth2.client.provider.my-provider.token-uri=https://my-provider/services/services/oauth2/token
spring.security.oauth2.client.provider.my-provider.jwk-set-uri=https://my-provider/services/id/keys

Caveat: we're not using spring-addons so I'm not sure if the above is still valid in that context