Add OAuth2 support in spring-config-client

docs/modules/ROOT/pages/client.adoc

@@ -214,6 +214,45 @@ spring:
 
 The `spring.cloud.config.password` and `spring.cloud.config.username` values override anything that is provided in the URI.
 
+If your Config Server is secured with OAuth2, the Config Client can attach a bearer token
+to every request. Configure the OAuth2 client registration using the standard Spring
+Security properties and point the Config Client at it by id:
+
+[source,yaml]
+----
+spring:
+  cloud:
+    config:
+      uri: https://myconfig.mycompany.com
+      oauth2:
+        enabled: true
+        client-registration-id: config-client
+  security:
+    oauth2:
+      client:
+        registration:
+          config-client:
+            client-id: client-id
+            client-secret: client-secret
+            authorization-grant-type: client_credentials
+        provider:
+          config-client:
+            token-uri: https://auth.acme.com/oauth/token
+----
+
+`spring-boot-starter-security-oauth2-client` is an optional dependency. The Config Client
+attaches the OAuth2 bearer-token interceptor only when that starter is on the classpath
+and `spring.cloud.config.oauth2.enabled=true`; otherwise the interceptor is skipped. This
+works for both the Config Data import flow (`spring.config.import=configserver:`) and the
+legacy bootstrap flow. By default the Config Client builds an
+`InMemoryClientRegistrationRepository` from the properties above and an
+`OAuth2AuthorizedClientManager` that supports the `client_credentials` and `refresh_token`
+grant types. Each layer is overridable: register your own `ClientRegistrationRepository`,
+`OAuth2AuthorizedClientManager`, `ClientRegistrationIdResolver`, or the
+`ClientHttpRequestInterceptor` itself (in the bootstrap registry via a
+`BootstrapRegistryInitializer` for the Config Data flow, or as a bean for the legacy
+bootstrap flow) and the default will step aside.
+
 If you deploy your apps on Cloud Foundry, the best way to provide the password is through service credentials (such as in the URI, since it does not need to be in a config file).
 The following example works locally and for a user-provided service on Cloud Foundry named `configserver`:
 

pom.xml

@@ -107,6 +107,7 @@
 		<module>spring-cloud-config-sample</module>
 		<module>spring-cloud-starter-config</module>
 		<module>spring-cloud-config-client-tls-tests</module>
+		<module>spring-cloud-config-client-oauth2-tests</module>
 		<module>docs</module>
 	</modules>
 	<dependencyManagement>
@@ -178,6 +179,7 @@
 						<configuration>
 							<excludeArtifacts>
 								<artifact>spring-cloud-config-client-tls-tests</artifact>
+								<artifact>spring-cloud-config-client-oauth2-tests</artifact>
 								<artifact>spring-cloud-config-sample</artifact>
 							</excludeArtifacts>
 						</configuration>

spring-cloud-config-client-oauth2-tests/pom.xml

@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xmlns="http://maven.apache.org/POM/4.0.0"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>spring-cloud-config-client-oauth2-tests</artifactId>
+    <packaging>jar</packaging>
+    <name>Spring Cloud Config Client OAuth2 Tests</name>
+
+    <parent>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-config</artifactId>
+        <version>5.0.4-SNAPSHOT</version>
+        <relativePath>..</relativePath>
+    </parent>
+
+    <url>https://spring.io</url>
+    <description>Spring Cloud Config Client OAuth2 Integration Tests</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-config-client</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-autoconfigure</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security-oauth2-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+        </dependency>
+
+        <!-- Testing -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.platform</groupId>
+            <artifactId>junit-platform-launcher</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-test-support</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>testcontainers-junit-jupiter</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-testcontainers</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.github.dasniko</groupId>
+            <artifactId>testcontainers-keycloak</artifactId>
+            <version>3.4.0</version>
+            <scope>test</scope>
+        </dependency>
+		<dependency>
+			<groupId>commons-io</groupId>
+			<artifactId>commons-io</artifactId>
+			<version>2.20.0</version>
+		</dependency>
+        <!-- MockServer for simulating a protected resource server -->
+        <dependency>
+            <groupId>org.mock-server</groupId>
+            <artifactId>mockserver-netty</artifactId>
+            <version>5.15.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mock-server</groupId>
+            <artifactId>mockserver-client-java</artifactId>
+            <version>5.15.0</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <!--skip deploy (this is just a test module) -->
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+</project>
+