From d7563902a7c18507e6efb2a780a057888f7f49c5 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 01:02:36 +0200
Subject: [PATCH] fix: read oidcTlsSkipVerify at call time instead of caching
 in constructor

OidcTokenExchanger cached securityProperties.isOidcTlsSkipVerify() in
the constructor as a boolean field. If Spring constructed the bean
before property binding completed, the cached value was false even when
the env var was set. SecurityConfig worked because it read the property
at call time. Now OidcTokenExchanger stores the SecurityProperties
reference and reads the flag on each call, matching SecurityConfig's
pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../server/app/security/OidcTokenExchanger.java     | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 1f41816d..058e1363 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -51,7 +51,7 @@ public class OidcTokenExchanger {
     private static final Logger log = LoggerFactory.getLogger(OidcTokenExchanger.class);
 
     private final OidcConfigRepository configRepository;
-    private final boolean tlsSkipVerify;
+    private final SecurityProperties securityProperties;
 
     private volatile String cachedIssuerUri;
     private volatile OIDCProviderMetadata providerMetadata;
@@ -60,10 +60,7 @@ public class OidcTokenExchanger {
     public OidcTokenExchanger(OidcConfigRepository configRepository,
                                SecurityProperties securityProperties) {
         this.configRepository = configRepository;
-        this.tlsSkipVerify = securityProperties.isOidcTlsSkipVerify();
-        if (tlsSkipVerify) {
-            log.warn("OIDC TLS skip-verify enabled for token exchanger");
-        }
+        this.securityProperties = securityProperties;
     }
 
     public record OidcUserInfo(String subject, String email, String name, List<String> roles, String idToken) {}
@@ -88,7 +85,7 @@ public class OidcTokenExchanger {
         );
 
         var httpRequest = tokenRequest.toHTTPRequest();
-        if (tlsSkipVerify) {
+        if (securityProperties.isOidcTlsSkipVerify()) {
             httpRequest.setSSLSocketFactory(InsecureTlsHelper.socketFactory());
             httpRequest.setHostnameVerifier(InsecureTlsHelper.hostnameVerifier());
         }
@@ -205,7 +202,7 @@ public class OidcTokenExchanger {
                     // .well-known/openid-configuration automatically, the user provides
                     // the complete URL.
                     URL discoveryUrl = new URI(issuerUri).toURL();
-                    try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, tlsSkipVerify)) {
+                    try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
                         JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
                                 .parse(in);
                         providerMetadata = OIDCProviderMetadata.parse(json);
@@ -226,7 +223,7 @@ public class OidcTokenExchanger {
                     OIDCProviderMetadata metadata = getProviderMetadata(issuerUri);
                     URL jwksUrl = metadata.getJWKSetURI().toURL();
                     JWKSource<SecurityContext> jwkSource;
-                    if (tlsSkipVerify) {
+                    if (securityProperties.isOidcTlsSkipVerify()) {
                         var retriever = new DefaultResourceRetriever(5000, 5000, 0, true,
                                 InsecureTlsHelper.socketFactory());
                         jwkSource = new RemoteJWKSet<>(jwksUrl, retriever);