Add AutoConfiguration support for OIDC Configuration Provider

[rwinch]

Spring Boot should add auto configuration support OidcConfigurationProvider. This will allow simplifying how an OAuth Provider is configured. For example, right now a user must create the following configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
        provider:
          okta:
            authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize
            token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token
            user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys

By leveraging OidcConfigurationProvider the configuration should be able to be simplified to something like this:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
        provider:
          okta:
            issuer-uri: https://dev-123456.oktapreview.com/oauth2/default/

Then Spring Boot's Auto Configuration support can can create a ClientRegistration using:

ClientRegistration okta = OidcConfigurationProvider.issuer(issuer)
    .clientId(clientId)
    .clientSecret(clientSecret)
    .build();

This should be done for Servlet environments and WebFlux based environments along with #13142

Related: spring-projects/spring-security#4413

NOTE: You can refer to OidcConfigurationProviderTests for sample output of the URL and how to write a test using MockWebServer. You can also use Google's Issuer https://accounts.google.com/ which will request https://accounts.google.com/.well-known/openid-configuration for a simple way of integration testing a sample application.

[mbhave]

Given that Spring Boot 2.1.0.M1 will ship with Spring Security 5.1.0.M1, we can do this for 2.1.0.M2.

[mbhave]

Spring Boot 2.1.0.M1 is now scheduled for July 12th which is after Spring Security 5.1.0.M2's scheduled date, so this doesn't need to be blocked anymore for 2.1.0.M1.

[mbhave]

@rwinch I find it quite confusing that the registrationId for the ClientRegistration generated using this configuration is the hostname from the issuer uri and not the key used in the properties. For other client registrations, we've been using the key that the registration is under, for example, in this case, it would be okta,

[rwinch]

@mbhave Agreed. This is just the defaulted value. You should be able to make any changes you want to the builder that is returned.

[snicoll]

@rwinch Can't the default value be the key used in properties? Seems more logical to me than using the host.

[rwinch]

@snicoll Yes I think that makes sense. However, OidcConfigurationProvider does not know about the Boot specific key, so it uses the domain as a default value. You will need to override it's default using something like this:

ClientRegistration okta = OidcConfigurationProvider.issuer(issuer)
    .registrationId(theKeyToUse) // Override with the value Boot wants to use
    .clientId(clientId)
    .clientSecret(clientSecret)
    .build();

NOTE: When writing the actual example I realized that registrationId was not writable on the Builder. Perhaps this is where the confusion was? I created and resolved spring-projects/spring-security#5527 so this will be possible once Spring Security's build finishes.

[mbhave]

When writing the actual example I realized that registrationId was not writable on the Builder. Perhaps this is where the confusion was?

yeah, that's what caused my confusion. I've got the latest snapshot now. thanks!