UserDetailsServiceAutoConfiguration should not be disabled when ClientRegistrationRepository is present #28813
Labels
status: declined
A suggestion or change that we don't feel we should currently apply
org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration
has a conditional on missing beansorg.springframework.security.oauth2.client.registration.ClientRegistrationRepository
(some OAuth2 clients are registered) andorg.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector
(a resource server is configured). It is annoying that the defaultUserDetailsManager
is disabled as soon as some OAuth2 clients are registered. I suppose it was assumed that an application registering clients would always use itself an OAuth2 authentication, but this is not always the case. For example, one might setup a simple HTTP Basic authentication with only one user (as with default auto-configuration), but this application may need to access a remote resource server with a OAuth2 client.I suggest to simply remove the conditional on
org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
.The text was updated successfully, but these errors were encountered: