feat: Make token issuer validation optional

[Afanas10101111]

Description

Make spring.security.oauth2.resourceserver.jwt.issuer-uri optional

• Comment property in application.properties
• Add on/off switch to the kube config

Related issue(s)

• #1095

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity 😴

It will be closed in 30 days if no further activity occurs. To unstale this pull request, add a comment with detailed explanation.

There can be many reasons why some specific pull request has no activity. The most probable cause is lack of time, not lack of interest. Microcks is a Cloud Native Computing Foundation project not owned by a single for-profit company. It is a community-driven initiative ruled under open governance model.

Let us figure out together how to push this pull request forward. Connect with us through one of many communication channels we established here.

Thank you for your patience ❤️

[lbroudoux]

Changing base to the 1.9.x branch that is the development one.

[lbroudoux]

Hello,

I've tested this one locally by just commenting the spring.security.oauth2.resourceserver.jwt.issuer-uri property in application.properties.

The problem is that I can no longer start the application because it complains of a missing JwtDecoder bean:

16:21:02.505  WARN 4453 --- [      main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChains' parameter 0: Error creating bean with name 'configureAPISecurityFilterChain' defined in class path resource [io/github/microcks/config/SecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'configureAPISecurityFilterChain' threw exception with message: No qualifying bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' available
16:21:02.528 ERROR 4453 --- [      main] o.s.b.d.LoggingFailureAnalysisReporter   : 

***************************
APPLICATION FAILED TO START
***************************

Description:

Parameter 0 of method setFilterChains in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' that could not be found.


Action:

Consider defining a bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' in your configuration.

So I think we should at least also adapt the SecurityConfiguration right?

[lbroudoux]

In the case of my local application, it can start correctly if I add the spring.security.oauth2.resourceserver.jwt.jwk-set-uri property instead. I have to refresh my understanding on OIDC/OAuth2 to understand why...

[Afanas10101111]

Hello!
I really missed this when describing the problem, sorry. Of course, we must have at least one issuer-uri or jvc-set-uri property to configure the resource server according to the manual.