GreenButtonAlliance · dfcoffin · May 25, 2026 · May 25, 2026
diff --git a/openespi-authserver/docker/docker-compose.yml b/openespi-authserver/docker/docker-compose.yml
@@ -27,7 +27,7 @@ services:
 
       # Flyway Configuration
       SPRING_FLYWAY_ENABLED: true
-      SPRING_FLYWAY_LOCATIONS: classpath:db/migration/mysql
+      SPRING_FLYWAY_LOCATIONS: classpath:db/vendor/mysql
       SPRING_FLYWAY_BASELINE_ON_MIGRATE: true
 
       # Security Configuration

diff --git a/...c/main/java/org/greenbuttonalliance/espi/authserver/config/AuthorizationServerConfig.java b/...c/main/java/org/greenbuttonalliance/espi/authserver/config/AuthorizationServerConfig.java
@@ -136,11 +136,14 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
                                 new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                         )
                 )
-                // Accept access tokens for User Info and/or Client Registration
+                // Accept access tokens for User Info and/or Client Registration.
+                // OIDC auto-configures JWT validation for self-protected endpoints
+                // (id_token signing requires JWT). Outbound tokens to ESPI clients
+                // remain opaque via accessTokenFormat(REFERENCE) on each RegisteredClient.
+                // Cannot configure both .jwt() and .opaqueToken() on the same chain
+                // in Spring Security 7.x.
                 .oauth2ResourceServer(resourceServer -> resourceServer
-                        .opaqueToken(Customizer.withDefaults())
-
-                        //.jwt(Customizer.withDefaults())
+                        .jwt(Customizer.withDefaults())
                 )
                 // HTTPS Channel Security for Production
                 //should be able to use property server.ssl.enabled=true

diff --git a/.../src/main/java/org/greenbuttonalliance/espi/authserver/config/HttpsEnforcementConfig.java b/.../src/main/java/org/greenbuttonalliance/espi/authserver/config/HttpsEnforcementConfig.java
@@ -98,7 +98,12 @@ public void logSecurityConfiguration() {
      * 
      * Enforces TLS 1.3 for all requests in production environment (NAESB ESPI 4.0)
      */
-    @Bean
+    // DISABLED: this chain's securityMatcher("/**") at @Order(0) preempts the
+    // authorization-server filter chain at @Order(1), causing every OAuth2 endpoint
+    // to 404. Headers should be injected via a HeaderWriter or Filter, not via a
+    // SecurityFilterChain that monopolizes /**. AuthorizationServerConfig's own
+    // chain (@Order(1)) already configures equivalent security headers.
+    // @Bean
     @Profile("prod")
     @Order(0)
     public SecurityFilterChain httpsEnforcementFilterChain(HttpSecurity http) throws Exception {
@@ -151,7 +156,9 @@ public SecurityFilterChain httpsEnforcementFilterChain(HttpSecurity http) throws
      * 
      * Allows HTTP for development while still providing security headers
      */
-    @Bean
+    // DISABLED: same reason as httpsEnforcementFilterChain above — securityMatcher("/**")
+    // at @Order(0) blocks the auth-server endpoints.
+    // @Bean
     @Profile({"dev", "dev-mysql", "dev-postgresql", "local"})
     @Order(0)
     public SecurityFilterChain developmentSecurityFilterChain(HttpSecurity http) throws Exception {

diff --git a/openespi-authserver/src/main/resources/application-dev-mysql.yml b/openespi-authserver/src/main/resources/application-dev-mysql.yml
@@ -14,7 +14,11 @@ spring:
       minimum-idle: 5
       idle-timeout: 300000
       max-lifetime: 1200000
-      auto-commit: false
+      # auto-commit must be true: JdbcRegisteredClientRepository.save() and other
+      # repository methods do not declare @Transactional, so without auto-commit
+      # their INSERTs are never committed and silently roll back when the
+      # connection returns to the pool. Architectural cleanup tracked separately.
+      auto-commit: true
 
   # JPA/Hibernate Configuration for MySQL
   jpa:
@@ -36,11 +40,14 @@ spring:
   flyway:
     enabled: true
     baseline-on-migrate: true
-    locations: classpath:db/migration/mysql
+    locations: classpath:db/vendor/mysql
     schemas: oauth2_authserver
     user: ${spring.datasource.username}
     password: ${spring.datasource.password}
     url: ${spring.datasource.url}
+    # Skip V3+ pending ESPI 4.0 XSD-aligned schema repair (see issue #123).
+    # V1+V2 provide enough for OAuth2 grant + introspection; V3 onwards is seed/demo data.
+    target: "2.0.0"
 
 # Development Logging
 logging:

diff --git a/openespi-authserver/src/main/resources/application-dev-postgresql.yml b/openespi-authserver/src/main/resources/application-dev-postgresql.yml
@@ -38,7 +38,7 @@ spring:
   flyway:
     enabled: true
     baseline-on-migrate: true
-    locations: classpath:db/migration/postgresql
+    locations: classpath:db/vendor/postgresql
     schemas: public
 
   # Security Configuration

diff --git a/openespi-authserver/src/main/resources/application-local.yml b/openespi-authserver/src/main/resources/application-local.yml
@@ -37,7 +37,7 @@ spring:
   flyway:
     enabled: true
     baseline-on-migrate: true
-    locations: classpath:db/migration/h2
+    locations: classpath:db/vendor/h2
     schemas: oauth2_authserver
 
 # Local Development Logging

diff --git a/openespi-authserver/src/main/resources/application-prod.yml b/openespi-authserver/src/main/resources/application-prod.yml
@@ -89,7 +89,7 @@ spring:
   flyway:
     enabled: true
     baseline-on-migrate: true
-    locations: classpath:db/migration/mysql
+    locations: classpath:db/vendor/mysql
     schemas: oauth2_authserver
     validate-on-migrate: true
     clean-disabled: true

diff --git a/openespi-authserver/src/main/resources/application.yml b/openespi-authserver/src/main/resources/application.yml
@@ -50,7 +50,7 @@ spring:
   flyway:
     enabled: true
     baseline-on-migrate: true
-    locations: classpath:db/migration,classpath:db/vendor/h2
+    locations: classpath:db/vendor/h2
     #schemas: oauth2_authserver
   jackson:
     default-property-inclusion: non_null

diff --git a/openespi-authserver/src/main/resources/db/vendor/mysql/V1_0_0__create_oauth2_schema.sql b/openespi-authserver/src/main/resources/db/vendor/mysql/V1_0_0__create_oauth2_schema.sql
@@ -64,7 +64,8 @@ CREATE TABLE oauth2_registered_client (
     scopes varchar(1000) NOT NULL,
     client_settings varchar(2000) NOT NULL,
     token_settings varchar(2000) NOT NULL,
-    PRIMARY KEY (id)
+    PRIMARY KEY (id),
+    UNIQUE KEY uk_oauth2_registered_client_client_id (client_id)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
 
 -- ESPI Application Information mapping
@@ -109,5 +110,4 @@ CREATE INDEX idx_oauth2_authorization_client_principal ON oauth2_authorization (
 CREATE INDEX idx_oauth2_authorization_code ON oauth2_authorization (authorization_code_value(255));
 CREATE INDEX idx_oauth2_authorization_access_token ON oauth2_authorization (access_token_value(255));
 CREATE INDEX idx_oauth2_authorization_refresh_token ON oauth2_authorization (refresh_token_value(255));
-CREATE INDEX idx_oauth2_registered_client_id ON oauth2_registered_client (client_id);
 CREATE INDEX idx_espi_application_client_id ON espi_application_info (client_id);