fix: read oidcTlsSkipVerify at call time instead of caching in constructor

OidcTokenExchanger cached securityProperties.isOidcTlsSkipVerify() in the constructor as a boolean field. If Spring constructed the bean before property binding completed, the cached value was false even when the env var was set. SecurityConfig worked because it read the property at call time. Now OidcTokenExchanger stores the SecurityProperties reference and reads the flag on each call, matching SecurityConfig's pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 01:02:36 +02:00
parent 99e2a8354f
commit d7563902a7
1 changed files with 5 additions and 8 deletions
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -51,7 +51,7 @@ public class OidcTokenExchanger {
    private static final Logger log = LoggerFactory.getLogger(OidcTokenExchanger.class);
    private final OidcConfigRepository configRepository;
-    private final boolean tlsSkipVerify;
+    private final SecurityProperties securityProperties;
    private volatile String cachedIssuerUri;
    private volatile OIDCProviderMetadata providerMetadata;
@@ -60,10 +60,7 @@ public class OidcTokenExchanger {
    public OidcTokenExchanger(OidcConfigRepository configRepository,
                               SecurityProperties securityProperties) {
        this.configRepository = configRepository;
-        this.tlsSkipVerify = securityProperties.isOidcTlsSkipVerify();
+        this.securityProperties = securityProperties;
        if (tlsSkipVerify) {
            log.warn("OIDC TLS skip-verify enabled for token exchanger");
        }
    }
    public record OidcUserInfo(String subject, String email, String name, List<String> roles, String idToken) {}
@@ -88,7 +85,7 @@ public class OidcTokenExchanger {
        );
        var httpRequest = tokenRequest.toHTTPRequest();
-        if (tlsSkipVerify) {
+        if (securityProperties.isOidcTlsSkipVerify()) {
            httpRequest.setSSLSocketFactory(InsecureTlsHelper.socketFactory());
            httpRequest.setHostnameVerifier(InsecureTlsHelper.hostnameVerifier());
        }
@@ -205,7 +202,7 @@ public class OidcTokenExchanger {
                    // .well-known/openid-configuration automatically, the user provides
                    // the complete URL.
                    URL discoveryUrl = new URI(issuerUri).toURL();
-                    try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, tlsSkipVerify)) {
+                    try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
                        JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
                                .parse(in);
                        providerMetadata = OIDCProviderMetadata.parse(json);
@@ -226,7 +223,7 @@ public class OidcTokenExchanger {
                    OIDCProviderMetadata metadata = getProviderMetadata(issuerUri);
                    URL jwksUrl = metadata.getJWKSetURI().toURL();
                    JWKSource<SecurityContext> jwkSource;
-                    if (tlsSkipVerify) {
+                    if (securityProperties.isOidcTlsSkipVerify()) {
                        var retriever = new DefaultResourceRetriever(5000, 5000, 0, true,
                                InsecureTlsHelper.socketFactory());
                        jwkSource = new RemoteJWKSet<>(jwksUrl, retriever);