Skip to content

fix(authserver): strip unused OIDC/JWK/JWT — ESPI is opaque-only#135

Merged
dfcoffin merged 1 commit into
mainfrom
feature/issue-134-strip-oidc-jwk-jwt
May 27, 2026
Merged

fix(authserver): strip unused OIDC/JWK/JWT — ESPI is opaque-only#135
dfcoffin merged 1 commit into
mainfrom
feature/issue-134-strip-oidc-jwk-jwt

Conversation

@dfcoffin
Copy link
Copy Markdown
Contributor

@dfcoffin dfcoffin commented May 27, 2026

Summary

Closes #134. ESPI 4.0 uses opaque access tokens only and the GBA Resource Server carries no JWK/JWT (#122 constraint). The auth-server carried OIDC + JWK/JWT-signing machinery the opaque flow never exercises. This removes it. The opaque token mint + RFC 7662 introspection path is unchanged. +40 / −148 lines.

What changed

AuthorizationServerConfig

  • Removed .oidc(...) from the authorization-server configurer.
  • Removed the .oauth2ResourceServer().jwt(...) self-protection (added in fix(authserver): canonical Spring Security 7.x filter chain + Jackson modules on custom repo #128). The auth-server no longer bearer-protects its own endpoints — OAuth2 protocol endpoints (token/introspect/revoke) use client_secret_basic; admin/UI endpoints use the @Order(2) session-login chain. (Decision pinned in the #122 design §5.)
  • Removed jwkSource()/jwtDecoder() beans, generateRsaKey(), the .jwkSetEndpoint() declaration, and all JWK/JWT imports.

application.yml

  • Excluded OAuth2AuthorizationServerJwtAutoConfiguration so Spring Boot no longer auto-generates a JWKSource / stands up /oauth2/jwks. Removed the jwk-set-uri property.

EspiTokenCustomizer — RETAINED, not stripped

  • It's OAuth2TokenCustomizer<JwtEncodingContext> and currently inert (short-circuits unless espi.token.format=jwt), but it is the sole home of the ESPI logic that adds resource/authorization URIs to the token. That logic must migrate to the opaque token-response path (the Energy/Customer/Authorization URLs — #122 token-response augmentation). Class + bean + test kept deliberately. (Caught during review — initial instinct to delete it was wrong.)

Data-custodian — replaced the misleading "Future enhancement: Add JWT support" comment in SecurityConfiguration with a note that JWT/JWK is intentionally absent.

OIDC removal is a deferral, not permanent

OIDC returns when multi-utility Third-Party registration is built (#122). Code comments mark the re-entry point.

Tests

  • AuthorizationServerConfigTest: removed the JWK Configuration test class + jwkSource()/jwtDecoder() assertions (beans gone); espiTokenCustomizer assertions kept.
  • ClientRegistrationEndpointIntegrationTest: @Disabled — every test hits the removed OIDC /connect/register endpoint. Restore when OIDC returns; broader auth-server test-suite repair tracked in #129.
  • Integration-test blast radius is exactly that one class. OAuth2FlowIntegrationTest and SecurityIntegrationTest exercise only the opaque /oauth2/{authorize,token,introspect} + admin endpoints this change preserves; the two TestContainers DB suites are unaffected.

Verification (fresh MySQL container, dev-mysql)

  • Boots clean (~37s) with no JWKSource present (the key risk — SAS starts fine without it)
  • POST /oauth2/token (client_credentials) → 200, 128-char opaque token (0 dots)
  • POST /oauth2/introspect → 200, RFC 7662 response
  • POST /oauth2/token wrong secret → 401
  • /.well-known/openid-configuration → 404 (OIDC gone)
  • /oauth2/jwks → 302, no key served (was 200)

Known minor residue

The OAuth2 metadata document still advertises a jwks_uri that now 302s. Removing it requires a metadata customizer; harmless for opaque-only (nothing fetches jwks). Left as-is.

Test plan

Related

  • Closes #134; advances #122
  • Revisits the .jwt() self-protection from #128
  • Test-suite repair / CI re-enable tracked in #129

🤖 Generated with Claude Code

@dfcoffin @claude
fix(authserver): strip unused OIDC/JWK/JWT — ESPI is opaque-only
14115fa 
Closes #134.

ESPI 4.0 uses opaque access tokens only and the GBA Resource Server carries no
JWK/JWT. The auth-server carried OIDC + JWK/JWT-signing machinery the opaque flow
never exercises. Removed it; the opaque token mint + RFC 7662 introspection path is
unchanged.

AuthorizationServerConfig:
- Removed .oidc(...) from the authorization-server configurer.
- Removed the .oauth2ResourceServer().jwt(...) self-protection added in #128. The
  auth-server no longer validates bearer tokens on its own endpoints: OAuth2 protocol
  endpoints (token/introspect/revoke) authenticate clients via client_secret_basic;
  admin/UI endpoints are protected by the @order(2) session-login chain (#122 design §5).
- Removed jwkSource()/jwtDecoder() beans, generateRsaKey(), the .jwkSetEndpoint()
  declaration, and all JWK/JWT imports.

application.yml:
- Excluded OAuth2AuthorizationServerJwtAutoConfiguration so Spring Boot no longer
  auto-generates a JWKSource / stands up /oauth2/jwks. Removed jwk-set-uri property.

EspiTokenCustomizer RETAINED (not stripped): it is OAuth2TokenCustomizer<JwtEncodingContext>
and currently inert (short-circuits unless espi.token.format=jwt), BUT it is the sole
home of the ESPI logic adding resource/authorization URIs to the token. That logic must
migrate to the opaque token-response path (#122 token-response augmentation), so the
class + bean + test are kept deliberately.

OIDC removal is a DEFERRAL, not permanent — OIDC returns when multi-utility Third-Party
registration is built (#122).

Data-custodian: replaced the misleading "Future enhancement: Add JWT support" comment
with a note that JWT/JWK is intentionally absent (ESPI opaque-only).

Tests:
- AuthorizationServerConfigTest: removed the JWK Configuration test class + jwkSource()/
  jwtDecoder() assertions (beans gone); espiTokenCustomizer assertions kept.
- ClientRegistrationEndpointIntegrationTest: @disabled — every test hits the removed OIDC
  /connect/register endpoint. Restore when OIDC returns (#122); suite repair tracked in #129.
- Blast radius is exactly that one class; OAuth2FlowIntegrationTest and
  SecurityIntegrationTest exercise only the opaque /oauth2/{authorize,token,introspect}
  + admin endpoints this change preserves.

Verified (fresh MySQL, dev-mysql):
- Boots clean (~37s) with NO JWKSource
- POST /oauth2/token (client_credentials) -> 200 opaque token (128 chars, 0 dots)
- POST /oauth2/introspect -> 200 RFC 7662
- wrong secret -> 401
- /.well-known/openid-configuration -> 404; /oauth2/jwks -> 302 (no key served)

Known minor residue: the OAuth2 metadata doc still advertises a jwks_uri that now 302s
(removing it needs a metadata customizer; harmless for opaque-only). Left as-is.

Refs: #122 #128 #129

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@dfcoffin dfcoffin added Polish Clean up unnecessary logic or code smells ESPI 4.0 Touches the NAESB ESPI 4.0 implementation infrastructure CI, build, deployment, or developer tooling labels May 27, 2026
@dfcoffin dfcoffin merged commit e31a617 into main May 27, 2026
4 checks passed
@dfcoffin dfcoffin mentioned this pull request May 28, 2026
Open
21 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ESPI 4.0 Touches the NAESB ESPI 4.0 implementation infrastructure CI, build, deployment, or developer tooling Polish Clean up unnecessary logic or code smells

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Strip unused OIDC/JWK/JWT from auth-server (ESPI is opaque-only)

1 participant

@dfcoffin