feat: Make Okta authentication respects proxy

kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/CustomOidcAuthenticationManagerBuilder.java

@@ -0,0 +1,49 @@
+package com.provectus.kafka.ui.config.auth;
+
+import com.provectus.kafka.ui.util.WebClientConfigurator;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.oauth2.client.endpoint.WebClientReactiveAuthorizationCodeTokenResponseClient;
+import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
+import org.springframework.security.oauth2.jwt.ReactiveJwtDecoderFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.web.reactive.function.client.WebClient;
+
+@Component
+@ConditionalOnProperty(value = "auth.type", havingValue = "OAUTH2")
+public class CustomOidcAuthenticationManagerBuilder {
+  private WebClient webClient = new WebClientConfigurator().build();
+  // Reuse customOidcUserService bean from `OAuthSecurityConfig`
+  private ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
+  @Value("${auth.oauth2.client.okta.jwk-set-uri}")
+  private String jwkUri;
+
+  public CustomOidcAuthenticationManagerBuilder(ReactiveOAuth2UserService<OidcUserRequest, OidcUser> oidcUserService) {
+    this.oidcUserService = oidcUserService;
+  }
+
+  public OidcAuthorizationCodeReactiveAuthenticationManager build() {
+    // Use WebClient that respects proxy settings to get token
+    WebClientReactiveAuthorizationCodeTokenResponseClient client =
+        new WebClientReactiveAuthorizationCodeTokenResponseClient();
+    client.setWebClient(webClient);
+
+    // Use WebClient that respects proxy settings to get JWT
+    ReactiveJwtDecoderFactory<ClientRegistration> idTokenDecoderFactory =
+        (clientRegistration) -> NimbusReactiveJwtDecoder.withJwkSetUri(jwkUri)
+            .webClient(webClient)
+            .build();
+
+    OidcAuthorizationCodeReactiveAuthenticationManager manager =
+        new OidcAuthorizationCodeReactiveAuthenticationManager(client, oidcUserService);
+    manager.setJwtDecoderFactory(idTokenDecoderFactory);
+
+    return manager;
+  }
+}

kafka-ui-api/src/main/java/com/provectus/kafka/ui/config/auth/OAuthSecurityConfig.java

@@ -7,6 +7,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import com.provectus.kafka.ui.util.WebClientConfigurator;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.log4j.Log4j2;
 import org.jetbrains.annotations.Nullable;
@@ -33,6 +34,7 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;
+import org.springframework.web.reactive.function.client.WebClient;
 import reactor.core.publisher.Mono;
 
 @Configuration
@@ -46,8 +48,15 @@ public class OAuthSecurityConfig extends AbstractAuthSecurityConfig {
 
   private final OAuthProperties properties;
 
+  // Create WebClient that respects proxy settings
+  private WebClient webClient = new WebClientConfigurator().build();
+
   @Bean
-  public SecurityWebFilterChain configure(ServerHttpSecurity http, OAuthLogoutSuccessHandler logoutHandler) {
+  public SecurityWebFilterChain configure(
+      ServerHttpSecurity http,
+      OAuthLogoutSuccessHandler logoutHandler,
+      CustomOidcAuthenticationManagerBuilder oidcAuthenticationManagerBuilder
+  ) {
     log.info("Configuring OAUTH2 authentication.");
 
     return http.authorizeExchange(spec -> spec
@@ -56,15 +65,18 @@ public SecurityWebFilterChain configure(ServerHttpSecurity http, OAuthLogoutSucc
             .anyExchange()
             .authenticated()
         )
-        .oauth2Login(Customizer.withDefaults())
+        .oauth2Login(spec -> spec.authenticationManager(oidcAuthenticationManagerBuilder.build())) // Use custom authentication manager
         .logout(spec -> spec.logoutSuccessHandler(logoutHandler))
         .csrf(ServerHttpSecurity.CsrfSpec::disable)
         .build();
   }
 
   @Bean
   public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> customOidcUserService(AccessControlService acs) {
+    // Use WebClient that respects proxy settings to get user-info
     final OidcReactiveOAuth2UserService delegate = new OidcReactiveOAuth2UserService();
+    delegate.setOauth2UserService(customOauth2UserService(acs));
+
     return request -> delegate.loadUser(request)
         .flatMap(user -> {
           var provider = getProviderByProviderId(request.getClientRegistration().getRegistrationId());
@@ -80,7 +92,10 @@ public ReactiveOAuth2UserService<OidcUserRequest, OidcUser> customOidcUserServic
 
   @Bean
   public ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> customOauth2UserService(AccessControlService acs) {
+    // Use WebClient that respects proxy settings to get user-info
     final DefaultReactiveOAuth2UserService delegate = new DefaultReactiveOAuth2UserService();
+    delegate.setWebClient(webClient);
+
     return request -> delegate.loadUser(request)
         .flatMap(user -> {
           var provider = getProviderByProviderId(request.getClientRegistration().getRegistrationId());