spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Consider adding runtime hints to support oauth2Login() and oauth2Client()

Open msosa opened this issue 2 months ago • 5 comments

Describe the bug When running a native spring boot image with spring security and redis sessions I get an error both with JDK serialization and the json serialization when trying to login via oauth2. It looks like there is this bug in spring session which seems related.

Specifically for the jackson error it looks like this not all the modules are in the loader

SecurityJackson2Modules.getModules(this.loader)

in particular these

org.springframework.security.oauth2.client.jackson2.OAuth2ClientJackson2Module
org.springframework.security.web.jackson2.WebJackson2Module
org.springframework.security.web.server.jackson2.WebServerJackson2Module

are missing in the native image, but not the non-native image

To Reproduce The Steps to reproduce are in the readme of the sample

Expected behavior There should be no error when running a native image

Sample

Sample

A snippet from the error

org.springframework.data.redis.serializer.SerializationException: Could not read JSON:Class org.springframework.security.oauth2.client.jackson2.OAuth2AuthorizationRequestDeserializer has no default (no arg) constructor

msosa avatar Nov 05 '25 21:11 msosa

https://github.com/spring-projects/spring-security/issues/15764#issuecomment-3139843228

BenEfrati avatar Nov 09 '25 08:11 BenEfrati

Thanks @BenEfrati , I gave that a try(and the comment a little further down) but still see an error with both jdk and json serializer

msosa avatar Nov 09 '25 19:11 msosa

@msosa Take a look at this working sample and specifically these runtime hints.

jgrandja avatar Nov 14 '25 19:11 jgrandja

thanks @jgrandja that seems to fix the logging in issue!

Just a note and not sure it matters but I am using reactive and some of those hints were specifically for non reactive class. It still worked regardless though.

There is also one more issue I think now that login works. Going to /logout causes another new error

2025-11-14T21:00:56.161Z ERROR 1 --- [llEventLoop-5-1] a.w.r.e.AbstractErrorWebExceptionHandler : [2357269e-4]  500 Server Error for HTTP POST "/logout"

org.springframework.data.redis.serializer.SerializationException: Could not read JSON:Could not resolve subtype of [simple type, class java.lang.Object]: missing type id property '@class'

and here is what's in redis

"HMSET" "spring:session:sessions:b8a686f2-f97d-44a4-8882-7ba437cfd456" "lastAccessedTime" "1763156397112" "sessionAttr:org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository.CSRF_TOKEN" "{\"token\":\"a3dfeda2-c26f-1d0e-97d0-14e06b133e3b\",\"parameterName\":\"_csrf\",\"headerName\":\"X-CSRF-TOKEN\"}"

msosa avatar Nov 14 '25 21:11 msosa

@jgrandja I had a little more time to look at it, the logout issue was due to some additional reactive classes missing hints, I made some swaps and got it to work locally

WebServletJackson2Module -> WebServerJackson2Module
DefaultCsrfTokenMixin -> DefaultCsrfServerTokenMixin
org.springframework.security.web.csrf.DefaultCsrfToken -> org.springframework.security.web.server.csrf.DefaultCsrfToken

msosa avatar Nov 15 '25 17:11 msosa