Allow in-memory authorized client services to be constructed with a map

[vpavic]

This is the equivalent of #5918 only this time for InMemoryOAuth2AuthorizedClientService and its reactive counterpart.

[vpavic]

I've updated this PR with a commit that that adds OAuth2AuthorizedClientId. I've put that commit as first, and updated the original commit to leverage the newly introduced identifier.

Please take a quick look before I get any further with this. The thing is that the only consumer of OAuth2AuthorizedClientService (and its reactive counterpart) is AuthenticatedPrincipalOAuth2AuthorizedClientRepository (and its reactive counterpart). I believe the APIs of those should also be updated to use OAuth2AuthorizedClientId in order to have a real benefit from the newly introduced identifier.

[rwinch]

@vpavic While I'm open to considering updating the APIs to use OAuth2AuthorizedClientId, I don't think we should make this a part of this PR as I don't think there is a need for it now. Instead, this should be limited to the Map based implementations. We can then consider updating the OAuth2AuthorizedClientService (and reactive equivalent) separately.

Thoughts?

[vpavic]

I agree it's better to handle that separately. I'm going to update this PR with that in mind, and open a new one to consider API changes once this (i.e. OAuth2AuthorizedClientId) is merged.

[vpavic]

I've updated the PR.

[rwinch]

Thanks for the updates. I have commented inline.

[rwinch]

Given Map is an optional parameter, I'd prefer it to be exposed via a setter. I understand that means it is mutable object, but this is the typical pattern Spring uses.

[jgrandja]

I agree with @rwinch that we should expose via setter instead - Map should be optional. Also, this object is mutable anyway given saveAuthorizedClient and removeAuthorizedClient.

[jgrandja]

@vpavic Apologies for back-tracking my previous comment but what are your thoughts on removing the setter and adding a 2nd constructor for both ClientRegistrationRepository and the Map?

[jgrandja]

We should Assert.notNull on clientRegistration and Assert.hasText on principalName. Applying this update would than make Assert.notNull redundant in OAuth2AuthorizedClientId constructor.

[jgrandja]

I think the parameter ClientRegistration clientRegistration should be changed to String clientRegistrationId, which aligns with OAuth2AuthorizedClientService.loadAuthorizedClient(String clientRegistrationId, String principalName).

I'm also curious on why this factory method is needed? Alternatively, we can make the constructor public. What are your throughts?

[jgrandja]

It might be useful to implement toString as well?

[jgrandja]

This method name should be changed to equalsWhenDifferentRegistrationIdAndSamePrincipalThenShouldReturnFalse

[jgrandja]

This method name should be changed to equalsWhenSameRegistrationIdAndDifferentPrincipalThenShouldReturnFalse

[jgrandja]

This method name should be changed to hashCodeWhenDifferentRegistrationIdAndSamePrincipalThenNotEqual

[jgrandja]

This method name should be changed to hashCodeWhenSameRegistrationIdAndDifferentPrincipalThenNotEqual

[jgrandja]

{@link Authentication} should be -> the principal name

[vpavic]

Since RC1 is around the corner, heads-up that reactive bits of #5918 need to get reverted. Or maybe all of it, if this PR doesn't make the cut.

[jgrandja]

Thanks for the heads up @vpavic. I left a couple of comments. Also, would you be interested in submitting a PR that reverts the reactive bits of #5918?

[jgrandja]

@vpavic Assuming we merge this PR and revert the reactive bits in #5918, this will allow a Map to be set by the caller for both InMemoryClientRegistrationRepository and InMemoryOAuth2AuthorizedClientService. However, the reactive counterparts InMemoryReactiveClientRegistrationRepository and InMemoryReactiveOAuth2AuthorizedClientService will not allow a Map to be set by the caller since this could introduce a blocking operation as @rwinch mentioned.

What are your thoughts on this? This will ultimately introduce inconsistent implementations between the two which I'm not sure at this point is the right way to go. Given that you raised this issue to allow for a distributed Map to be set, you will not be able to achieve this for a Reactive implementation/application. Do you have any concerns with this?

[vpavic]

I'm afraid I won't have time to revisit this and the #5918 partial revert as I'm quite occupied by stuff for next Spring Session release so feel free to do what you feel is the best.

Generally I'm interested primarily in Servlet side of the things (and have included reactive bits for completeness sake) so that inconsistency is fine with me. I also don't think inconsistency should be the reason for not providing something that's supporting a perfectly valid (and IMO needed) use case for Servlet based implementation.

Also I'll express a concern that I've already express in other places, which I believe is important and is the motivation for this and other related PRs - all the store-like interfaces in new Spring Security OAuth 2.0 are only supported by in-memory implementations, and that's IMO something that you typically don't want to be running in production.

[jgrandja]

@vpavic No worries if you don't have the time...totally understand. I'll take care of the remaining work.

I'm interested primarily in Servlet side of the things

Ok I don't see any issues on merging the changes for Servlet.

...only supported by in-memory implementations, and that's IMO something that you typically don't want to be running in production

Totally agreed and yes the in-memory implementations are meant for development only. It's up to the user to define @Bean of either ClientRegistrationRepository and/or OAuth2AuthorizedClientService for a production setup. We very well may provide other implementations in a later release but we've had other priorities to focus on as of late.

Thanks again for the reminder on this ticket and #5918...it almost slipped through the cracks.

[jgrandja]

@vpavic I just merged this along with a polish commit 23d61d4. I also did a partial revert of #5918 in this commit e554547.
Let me know if you see any issues with the updates.
Thanks.