Merge pull request #49029 from itsmevichu

* gh-49029:
  Polish "Add customizers for opaque token introspector builders"
  Add customizers for opaque token introspector builders

Closes gh-49029

Author: wilkinsona

documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/web/spring-security.adoc

@@ -299,7 +299,11 @@ spring:
 ----
 
 Again, the same properties are applicable for both servlet and reactive applications.
-Alternatively, you can define your own javadoc:org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector[] bean for servlet applications or a javadoc:org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector[] for reactive applications.
+
+The result is an auto-configured introspector. Either a javadoc:org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector[] or, in a reactive application, a javadoc:org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector[].
+These auto-configured introspectors can be customized using javadoc:org.springframework.boot.security.oauth2.server.resource.autoconfigure.SpringOpaqueTokenIntrospectorBuilderCustomizer[] and javadoc:org.springframework.boot.security.oauth2.server.resource.autoconfigure.reactive.SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer[] beans respectively.
+
+To take complete control of the introspection, define your own javadoc:org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector[] or javadoc:org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector[] bean.
 
 
 

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/OpaqueTokenIntrospectionConfiguration.java

@@ -16,6 +16,7 @@
 
 package org.springframework.boot.security.oauth2.server.resource.autoconfigure;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
@@ -36,16 +37,19 @@ class OpaqueTokenIntrospectionConfiguration {
 
 	@Bean
 	@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.opaquetoken.introspection-uri")
-	SpringOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties properties) {
+	SpringOpaqueTokenIntrospector opaqueTokenIntrospector(OAuth2ResourceServerProperties properties,
+			ObjectProvider<SpringOpaqueTokenIntrospectorBuilderCustomizer> customizers) {
 		OAuth2ResourceServerProperties.Opaquetoken token = properties.getOpaquetoken();
 		Assert.state(token.getClientId() != null,
 				"No 'spring.security.oauth2.resourceserver.opaquetoken.client-id' property specified");
 		Assert.state(token.getClientSecret() != null,
 				"No 'spring.security.oauth2.resourceserver.opaquetoken.client-secret' property specified");
-		return SpringOpaqueTokenIntrospector.withIntrospectionUri(token.getIntrospectionUri())
+		SpringOpaqueTokenIntrospector.Builder builder = SpringOpaqueTokenIntrospector
+			.withIntrospectionUri(token.getIntrospectionUri())
 			.clientId(token.getClientId())
-			.clientSecret(token.getClientSecret())
-			.build();
+			.clientSecret(token.getClientSecret());
+		customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
+		return builder.build();
 	}
 
 }

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/SpringOpaqueTokenIntrospectorBuilderCustomizer.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.oauth2.server.resource.autoconfigure;
+
+import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector.Builder;
+
+/**
+ * Callback interface for the customization of the {@link Builder
+ * SpringOpaqueTokenIntrospector.Builder} used to create the auto-configured
+ * {@link SpringOpaqueTokenIntrospector}.
+ *
+ * @author Vishnutheep B
+ * @since 4.1.0
+ */
+@FunctionalInterface
+public interface SpringOpaqueTokenIntrospectorBuilderCustomizer {
+
+	/**
+	 * Customize the given {@code builder}.
+	 * @param builder the {@code builder} to customize
+	 */
+	void customize(SpringOpaqueTokenIntrospector.Builder builder);
+
+}

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOpaqueTokenIntrospectionClientConfiguration.java

@@ -16,6 +16,7 @@
 
 package org.springframework.boot.security.oauth2.server.resource.autoconfigure.reactive;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
@@ -37,16 +38,19 @@ class ReactiveOpaqueTokenIntrospectionClientConfiguration {
 
 	@Bean
 	@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.opaquetoken.introspection-uri")
-	SpringReactiveOpaqueTokenIntrospector reactiveOpaqueTokenIntrospector(OAuth2ResourceServerProperties properties) {
+	SpringReactiveOpaqueTokenIntrospector reactiveOpaqueTokenIntrospector(OAuth2ResourceServerProperties properties,
+			ObjectProvider<SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer> customizers) {
 		OAuth2ResourceServerProperties.Opaquetoken token = properties.getOpaquetoken();
 		Assert.state(token.getClientId() != null,
 				"No 'spring.security.oauth2.resourceserver.opaquetoken.client-id' property specified");
 		Assert.state(token.getClientSecret() != null,
 				"No 'spring.security.oauth2.resourceserver.opaquetoken.client-secret' property specified");
-		return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(token.getIntrospectionUri())
+		SpringReactiveOpaqueTokenIntrospector.Builder builder = SpringReactiveOpaqueTokenIntrospector
+			.withIntrospectionUri(token.getIntrospectionUri())
 			.clientId(token.getClientId())
-			.clientSecret(token.getClientSecret())
-			.build();
+			.clientSecret(token.getClientSecret());
+		customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
+		return builder.build();
 	}
 
 }

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.oauth2.server.resource.autoconfigure.reactive;
+
+import org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector.Builder;
+
+/**
+ * Callback interface for the customization of the {@link Builder
+ * SpringReactiveOpaqueTokenIntrospector.Builder} used to create the auto-configured
+ * {@link SpringReactiveOpaqueTokenIntrospector}.
+ *
+ * @author Vishnutheep B
+ * @since 4.1.0
+ */
+@FunctionalInterface
+public interface SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer {
+
+	/**
+	 * Customize the given {@code builder}.
+	 * @param builder the {@code builder} to customize
+	 */
+	void customize(SpringReactiveOpaqueTokenIntrospector.Builder builder);
+
+}

module/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/OAuth2ResourceServerAutoConfigurationTests.java

@@ -428,7 +428,21 @@ void autoConfigurationWhenIntrospectionUriAvailableShouldConfigureIntrospectionC
 					"spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://check-token.com",
 					"spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id",
 					"spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secret")
-			.run((context) -> assertThat(context).hasSingleBean(OpaqueTokenIntrospector.class));
+			.run((context) -> {
+				assertThat(context).hasSingleBean(OpaqueTokenIntrospector.class);
+				assertSpringOpaqueTokenIntrospectorBuilderCustomization(context);
+			});
+	}
+
+	private void assertSpringOpaqueTokenIntrospectorBuilderCustomization(AssertableWebApplicationContext context) {
+		SpringOpaqueTokenIntrospectorBuilderCustomizer customizer = context
+			.getBean("opaqueTokenIntrospectorBuilderCustomizer", SpringOpaqueTokenIntrospectorBuilderCustomizer.class);
+		SpringOpaqueTokenIntrospectorBuilderCustomizer anotherCustomizer = context.getBean(
+				"anotherOpaqueTokenIntrospectorBuilderCustomizer",
+				SpringOpaqueTokenIntrospectorBuilderCustomizer.class);
+		InOrder inOrder = inOrder(customizer, anotherCustomizer);
+		inOrder.verify(customizer).customize(any());
+		inOrder.verify(anotherCustomizer).customize(any());
 	}
 
 	@Test
@@ -854,6 +868,18 @@ JwkSetUriJwtDecoderBuilderCustomizer anotherDecoderBuilderCustomizer() {
 			return mock(JwkSetUriJwtDecoderBuilderCustomizer.class);
 		}
 
+		@Bean
+		@Order(1)
+		SpringOpaqueTokenIntrospectorBuilderCustomizer opaqueTokenIntrospectorBuilderCustomizer() {
+			return mock(SpringOpaqueTokenIntrospectorBuilderCustomizer.class);
+		}
+
+		@Bean
+		@Order(2)
+		SpringOpaqueTokenIntrospectorBuilderCustomizer anotherOpaqueTokenIntrospectorBuilderCustomizer() {
+			return mock(SpringOpaqueTokenIntrospectorBuilderCustomizer.class);
+		}
+
 	}
 
 	@Configuration(proxyBeanMethods = false)

module/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java

@@ -400,7 +400,23 @@ void autoConfigurationWhenIntrospectionUriAvailableShouldConfigureIntrospectionC
 					"spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://check-token.com",
 					"spring.security.oauth2.resourceserver.opaquetoken.client-id=my-client-id",
 					"spring.security.oauth2.resourceserver.opaquetoken.client-secret=my-client-secret")
-			.run((context) -> assertThat(context).hasSingleBean(ReactiveOpaqueTokenIntrospector.class));
+			.run((context) -> {
+				assertThat(context).hasSingleBean(ReactiveOpaqueTokenIntrospector.class);
+				assertSpringReactiveOpaqueTokenIntrospectorBuilderCustomization(context);
+			});
+	}
+
+	private void assertSpringReactiveOpaqueTokenIntrospectorBuilderCustomization(
+			AssertableReactiveWebApplicationContext context) {
+		SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer customizer = context.getBean(
+				"reactiveOpaqueTokenIntrospectorBuilderCustomizer",
+				SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer.class);
+		SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer anotherCustomizer = context.getBean(
+				"anotherReactiveOpaqueTokenIntrospectorBuilderCustomizer",
+				SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer.class);
+		InOrder inOrder = inOrder(customizer, anotherCustomizer);
+		inOrder.verify(customizer).customize(any());
+		inOrder.verify(anotherCustomizer).customize(any());
 	}
 
 	@Test
@@ -865,6 +881,18 @@ JwkSetUriReactiveJwtDecoderBuilderCustomizer anotherDecoderBuilderCustomizer() {
 			return mock(JwkSetUriReactiveJwtDecoderBuilderCustomizer.class);
 		}
 
+		@Bean
+		@Order(1)
+		SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer reactiveOpaqueTokenIntrospectorBuilderCustomizer() {
+			return mock(SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer.class);
+		}
+
+		@Bean
+		@Order(2)
+		SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer anotherReactiveOpaqueTokenIntrospectorBuilderCustomizer() {
+			return mock(SpringReactiveOpaqueTokenIntrospectorBuilderCustomizer.class);
+		}
+
 	}
 
 	@Configuration(proxyBeanMethods = false)