Sorry for the delay on this one.
It looks like this is a known issue for Spring Security:
- https://github.com/reactor/reactor-netty/issues/887
- https://stackoverflow.com/questions/58689235/proxy-setting-not-working-with-spring-webclient
- https://github.com/spring-projects/spring-security/issues/8882
I have a couple of suggestions:
-
Remove the need for a proxy, you could whitelist the domains you need (or specific URLs if needed)
I know this isn’t always possible, especially when someone else manages the network, but it’s easiest option, so I figured I’d suggest it -
Override the WebClient where it’s used.
You could BeanPostProcessor it, and tweak the WebClient org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService.setWebClient(...)
same for org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService
If you are also validating JWTs you would need to replace the ReactiveJwtDecoder bean from:
With something like:
NimbusReactiveJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri())
.webClient(...)
Where your custom webClient is something like:
HttpClient httpClient = HttpClient.create()
.tcpConfiguration(tcpClient -> tcpClient
.proxy(proxy -> proxy
.type(ProxyProvider.Proxy.HTTP)
.host("ourproxy.com")
.port(8080)));