SecurityMockServerConfigurers.mockOAuth2Login() keeps returning 401

[blacelle]

Describe the bug
While migrating from SpringBoot 3.5.11 to SpringBoot 4.0.3, I can not succeed migrating tests related to oauth2 login.

I observe 401 while I expected to get 200.

I tested various things:

• with and without .oauth2Login(oauth2 -> {})
• with and without BASIC
• with bindToApplicationContext
• and various other configuration suggested by LLMs.

At the opposite of the test-tooling spectrum (i.e. bare-hand setup and mocking), I also added UserControllerTest (from some LLM) which has proper mocked authentication. But at the cost of skipping manually implicit configuration (e.g. from annotations).

To Reproduce
Run bug_report.oauth2.TestSecurity_WithOAuth2_asOAuth2User.testLoginJson() in provided github reproduction repository.

Expected behavior
I expect a 200, as I expect the call to be authenticated, with the test based on @SpringBootTest, @AutoConfigureWebTestClient and SecurityMockServerConfigurers.mockOAuth2Login().

Sample

See https://github.com/solven-eu/sb4-oauth2-migration_issue

[blacelle]

Here is an all-in-one test-case reproducing the issue (also in the repro repository):

package bug_report.oauth2;

import java.util.Map;

import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.webtestclient.autoconfigure.AutoConfigureWebTestClient;
import org.springframework.context.annotation.Bean;
import org.springframework.core.env.Environment;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers;
import org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.OAuth2LoginMutator;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import reactor.core.publisher.Mono;

@ExtendWith(SpringExtension.class)
@SpringBootTest(
		classes = { TestSecurity_WithOAuth2_asOAuth2User.EmptySpringBootApplication.class,
				TestSecurity_WithOAuth2_asOAuth2User.PivotableSocialWebFluxSecurity.class,
				TestSecurity_WithOAuth2_asOAuth2User.PivotableLoginController.class },
		webEnvironment = SpringBootTest.WebEnvironment.MOCK,
		properties = { "logging.level.org.springframework.security=DEBUG" })
@AutoConfigureWebTestClient(timeout = "PT10M")
public class TestSecurity_WithOAuth2_asOAuth2User {

	@Autowired
	WebTestClient webTestClient;

	private OAuth2LoginMutator prepareLogin() {
		OAuth2LoginMutator oauth2Login;
		{
			oauth2Login = SecurityMockServerConfigurers.mockOAuth2Login();
		}
		return oauth2Login;
	}

	WebTestClient getWebTestClient() {
		return webTestClient.mutateWith(prepareLogin());
	}

	@SpringBootApplication(scanBasePackages = "none")
	public static class EmptySpringBootApplication {

		@Bean
		public ReactiveClientRegistrationRepository clientRegistrationRepository() {
			ClientRegistration registration = ClientRegistration.withRegistrationId("test")
					.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
					.clientId("test-client-id")
					.clientSecret("test-client-secret")
					.redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
					.authorizationUri("https://example.com/authorize")
					.tokenUri("https://example.com/token")
					.userInfoUri("https://example.com/userinfo")
					.userNameAttributeName("sub")
					.build();

			return new InMemoryReactiveClientRegistrationRepository(registration);
		}
	}

	@EnableWebFluxSecurity
	public static class PivotableSocialWebFluxSecurity {
		@Bean
		public SecurityWebFilterChain configureUi(ServerHttpSecurity http, Environment env) {
			return http
	                .csrf(ServerHttpSecurity.CsrfSpec::disable)
					.authorizeExchange(
							auth -> auth.pathMatchers("/api/login/v1/**").authenticated().anyExchange().permitAll())
					.oauth2Login(oauth2 -> {
					})
					.exceptionHandling(e -> {
						e.authenticationEntryPoint(
								new HttpStatusServerEntryPoint(HttpStatus.PROXY_AUTHENTICATION_REQUIRED));
					})
					.build();
		}

	}

	@RestController
	@RequestMapping("/api/login/v1")
	public static class PivotableLoginController {

		public static final String P_OAUTH2 = "adhoc.pivotable.login.oauth2.enabled";

		@GetMapping("/json")
		public Mono<? extends Map<String, ?>> loginStatus(@AuthenticationPrincipal OAuth2User oauth2User) {
			return Mono.just(oauth2User.getAttributes());
		}

	}

	@Test
	public void testLoginJson() {
		getWebTestClient()

				.get()
				.uri("/api/login/v1/json")
				.accept(MediaType.APPLICATION_JSON)
				.exchange()

				.expectStatus()
				.isOk()

				.expectBody(Map.class)
				.value(body -> {
					Assertions.assertThat(body).containsEntry("login", 200).hasSize(1);
				});
	}
}

[blacelle]

@wonderfulrosemari I can confirm the fix in your PR is helpful on our actual test-cases (which are substantially richer that the case reported here).

TY a lot.

[wonderfulrosemari]

Thanks for validating this on your real test cases. Glad to hear it helps!

[jzheaux]

Hi, @blacelle, thanks for the report! Having taken a look at your sample, it appears to be missing spring-boot-starter-security-test. When I add this and change what appears to be a logical error in the test case, then the test passes.

I'd prefer to not make a one-off change to how mockOAuth2Login works since SecurityMockServerConfigurer#springSecurity() is indeed the way to add the MutatorFilter.

If updating your dependencies does not address the issue, please update the sample to reflect how it is still breaking.

[blacelle]

@jzheaux I can confirm adding spring-boot-starter-security-test fixed transparently the issue.

I see this new dependency is quite recent (https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security-test SB4+). I guess I missed it from migrations notes.

TY a lot.