OAuth2FeignRequestInterceptor support for Spring Security 5 OAuth

[loesak]

I'm upgrading from Spring Security OAuth to the OAuth support in Spring Security 5. My micro-services previously was using Feign to connect with other micro-services (micro-services are both resource servers and clients) and I was using OAuth2FeignRequestInterceptor to either obtain an token, use an existing token, or pass on a token that the calling micro-service itself received (Token Relay). This no longer seems to work as it appears that OAuth2FeignRequestInterceptor does not yet support Spring Security 5's OAuth support. Is this on the roadmap to add support for or does support already exist?

[spencergibb]

Can you define this more:

This no longer seems to work as it appears that OAuth2FeignRequestInterceptor does not yet support Spring Security 5's OAuth support.

[loesak]

@spencergibb yes. thank you for getting back to me.

I'm currently using org.springframework.cloud:spring-cloud-security:2.1.0.RC3

I've been converting my project to use the new OAuth/OIDC support in Spring Security 5 (org.springframework.security:spring-security-oauth2-client and org.springframework.security:spring-security-oauth2-resource-server) from the previous (org.springframework.security.oauth:spring-security-oauth). I removed spring-security-oauth from my dependency management but it seems that OAuth2FeignRequestInterceptor is still dependent on classes from that project. It's my assumption that the previous OAuth support and the new OAuth support are not compatible together, at least I have not found a way for them to be so.

It seems like other parts of spring-cloud-security are using the new Spring Security 5 support of OAuth. For example org.springframework.cloud.security.oauth2.gateway. But there doesn't seem to be alternatives under org.springframework.cloud.security.oauth2.proxy (Zuul) and org.springframework.cloud.security.oauth2.client for the new OAuth support.

I hope this is clear.

EDIT:
I'm also aware that org.springframework.security.oauth:spring-security-oauth has been replaced with spring-security-oauth2-autoconfigure for backwards compatibility but its essentially the same code.

[spencergibb]

Can you please the Greenwich.RELEASE rather than a release candidate?

[loesak]

No difference from what i can tell. The code seems still be relying on the OAuth support from org.springframework.security.oauth:spring-security-oauth2 instead of org.springframework.security:spring-security-oauth2-client and org.springframework.security:spring-security-oauth2-resource-server.

I think the first question that needs to be answered is if the spring-cloud-security OAuth support has been converted to use Spring Security's new OAuth implementations.

Would it be helpful for me to setup a sample project?

[spencergibb]

Sure a sample would be great.