Proxy/Netty: io.netty.channel.ConnectTimeoutException: connection timed out

Sorry for the delay on this one.

It looks like this is a known issue for Spring Security:

• https://github.com/reactor/reactor-netty/issues/887
• https://stackoverflow.com/questions/58689235/proxy-setting-not-working-with-spring-webclient
• https://github.com/spring-projects/spring-security/issues/8882

I have a couple of suggestions:

1. Remove the need for a proxy, you could whitelist the domains you need (or specific URLs if needed)
   I know this isn’t always possible, especially when someone else manages the network, but it’s easiest option, so I figured I’d suggest it

2. Override the WebClient where it’s used.

You could BeanPostProcessor it, and tweak the WebClient org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService.setWebClient(...)

same for org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService

If you are also validating JWTs you would need to replace the ReactiveJwtDecoder bean from:

With something like:

NimbusReactiveJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri())
            .webClient(...)

Where your custom webClient is something like:

HttpClient httpClient = HttpClient.create()
            .tcpConfiguration(tcpClient -> tcpClient
                .proxy(proxy -> proxy
                    .type(ProxyProvider.Proxy.HTTP)
                    .host("ourproxy.com")
                    .port(8080)));