Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid Certificate - PKIX Path - RestTemplate #14251

Closed
Jatish-Khanna opened this issue Dec 6, 2023 · 2 comments
Closed

Invalid Certificate - PKIX Path - RestTemplate #14251

Jatish-Khanna opened this issue Dec 6, 2023 · 2 comments
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement

Comments

@Jatish-Khanna
Copy link

Describe the bug
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://.../.well-known/openid-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.createResourceAccessException(RestTemplate.java:888)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:868)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:714)
at org.springframework.security.oauth2.client.registration.ClientRegistrations.lambda$oidc$0(ClientRegistrations.java:163)
at org.springframework.security.oauth2.client.registration.ClientRegistrations.getBuilder(ClientRegistrations.java:216)
... 58 common frames omitted

To Reproduce
Don't have the SSL certificate in the cacerts and use Spring boot security - oauth2 client 6.1.5

Expected behavior
Either it should depend on the RestTemplate bean or should accept the certificate.

Sample
Used SSL configuration as well

spring:
ssl:
bundle:
pem:
client:
truststore:
certificate: "classpath:config/tls/certs.crt"
server:
ssl:
bundle: "client"
http2:
enabled: true

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

@Jatish-Khanna Jatish-Khanna added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 6, 2023
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 11, 2023
@ZIRAKrezovic
Copy link

I had the same issue but the resolution was ultimately set to "Won't Fix". I hope with one more person around with the same problem they'll change their mind.

#14176

@sjohnr
Copy link
Member

sjohnr commented Jan 5, 2024

@Jatish-Khanna thanks for reaching out!

As pointed out by @ZIRAKrezovic, we have had similar reports in the past. Please see this comment on gh-8882, which states:

ClientRegistrations is intended to be used as a utility/convenience class. It was designed to fulfill most use cases, however, it may not be suitable for certain use cases. For example, if the internal network traffic must be routed through a Proxy, you can bypass discovery by configuring the authorization-uri and token-uri property instead of the issuer-uri property.

You are encouraged to specify the ClientRegistrationRepository yourself, as the convenience of the ClientRegistrations utility class used by Spring Boot when configuring from properties is not intended for advanced cases like this one.

For other aspects of OAuth2 Client, we have added a feature in the 6.2 release (see gh-13587) that simplifies configuration. The reference docs include an example of how to customize the RestOperations used by OAuth2 Client components.

In other words, you can override all of the components you need by publishing your own beans. As stated in the above comment, there are no plans to integrate directly with a Spring Boot provided RestTemplate. See the comment and issue for context on that.

I'm going to close this with the above explanation. If you have any questions about the new feature in 6.2 or anything else, please feel free to open a stackoverflow question and post a link here and I'll be happy to take a look! If you have any suggested improvements, please open a specific issue and link it here.

@sjohnr sjohnr closed this as completed Jan 5, 2024
@sjohnr sjohnr added the status: declined A suggestion or change that we don't feel we should currently apply label Jan 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Development

No branches or pull requests

4 participants