feat: add OAuth2 Resource Server for Logto OIDC authentication

Dual auth: machine endpoints use Ed25519 JWT filter, all other API
endpoints use Spring Security OAuth2 Resource Server with Logto OIDC.
Mock JwtDecoder provided for test isolation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java

@@ -3,6 +3,7 @@ package net.siegeln.cameleer.saas.config;
 import net.siegeln.cameleer.saas.auth.JwtAuthenticationFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -17,23 +18,39 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
 @EnableMethodSecurity
 public class SecurityConfig {
 
-    private final JwtAuthenticationFilter jwtAuthenticationFilter;
+    private final JwtAuthenticationFilter machineTokenFilter;
 
-    public SecurityConfig(JwtAuthenticationFilter jwtAuthenticationFilter) {
-        this.jwtAuthenticationFilter = jwtAuthenticationFilter;
+    public SecurityConfig(JwtAuthenticationFilter machineTokenFilter) {
+        this.machineTokenFilter = machineTokenFilter;
     }
 
     @Bean
-    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    @Order(1)
+    public SecurityFilterChain machineAuthFilterChain(HttpSecurity http) throws Exception {
+        http
+                .securityMatcher("/api/agent/**", "/api/license/verify/**")
+                .csrf(csrf -> csrf.disable())
+                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
+                .addFilterBefore(machineTokenFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+
+    @Bean
+    @Order(2)
+    public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
         http
                 .csrf(csrf -> csrf.disable())
                 .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers("/api/auth/**").permitAll()
                         .requestMatchers("/actuator/health").permitAll()
+                        .requestMatchers("/auth/verify").permitAll()
                         .anyRequest().authenticated()
                 )
-                .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
+                .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> {}))
+                .addFilterBefore(machineTokenFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }

src/main/resources/application-test.yml

@@ -3,3 +3,8 @@ spring:
     show-sql: false
   flyway:
     clean-disabled: false
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: https://test-issuer.example.com/oidc

src/main/resources/application.yml

@@ -8,6 +8,12 @@ spring:
   flyway:
     enabled: true
     locations: classpath:db/migration
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: ${LOGTO_ISSUER_URI:}
+          jwk-set-uri: ${LOGTO_JWK_SET_URI:}
 
 management:
   endpoints:
@@ -23,3 +29,7 @@ cameleer:
     expiration: 86400 # 24 hours in seconds
     private-key-path: ${CAMELEER_JWT_PRIVATE_KEY_PATH:}
     public-key-path: ${CAMELEER_JWT_PUBLIC_KEY_PATH:}
+  identity:
+    logto-endpoint: ${LOGTO_ENDPOINT:}
+    m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
+    m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}