From 703d255efbe5922e423860ac63b8859879bb0e27 Mon Sep 17 00:00:00 2001
From: ch4mpy <ch4mp@c4-soft.com>
Date: Wed, 15 May 2024 15:25:19 -1000
Subject: [PATCH] gh-213 native images compatibility of
 @ConfigurationProperties

---
 README.MD                                     |   8 +-
 release-notes.md                              |   5 +
 .../tutorials/WebSecurityConfig.java          |   2 +-
 .../BasicAuthSecurityConfig.java              |   2 +-
 spring-addons-starter-oidc/README.MD          |   2 +-
 ...ssuerOpenidProviderPropertiesResolver.java |   2 +-
 ...figurableClaimSetAuthoritiesConverter.java |  94 +++++++-------
 .../OpenidProviderPropertiesResolver.java     |   2 +-
 .../properties/OpenidProviderProperties.java  |  48 -------
 .../SimpleAuthoritiesMappingProperties.java   |  38 ------
 .../SpringAddonsOidcProperties.java           | 118 ++++++++++++++----
 ...bleJwtGrantedAuthoritiesConverterTest.java |   6 +-
 12 files changed, 154 insertions(+), 173 deletions(-)
 delete mode 100644 spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java
 delete mode 100644 spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java

diff --git a/README.MD b/README.MD
index 651348ec5..ad702276d 100644
--- a/README.MD
+++ b/README.MD
@@ -11,16 +11,10 @@
 
 ## Breaking News
 
-Just added a [Sponsor this project](https://ko-fi.com/ch4mpy) link to the repo ;-)
+In `7.7.0`, some `@ConfigurationProperties` were changed to inner-class definition (instead of standing in a source file of their own). Migration should be no more complicated than organizing imports.
 
 The OAuth2 BFF tutorial is now [on Baeldung](https://www.baeldung.com/spring-cloud-gateway-bff-oauth2). It was deeply refreshed in the process and now contains samples for Angular, React (Next.js) and Vue (Vite).
 
-In `7.6.0`, the experimental support for `RestClient` and `WebClient` builders as well as `@HttpExchange` (the successor of `@FeignClient`) is moved to a dedicated starter: [`spring-addons-starter-rest`](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-rest). As a reminder, it helps to get pre-configured client builders and `@HttpExchange` proxies with this clients
-
-`7.5.0` comes with an important refactoring of the way JWT decoder(s) configuration is resolved. This greatly eases ["dynamic" multi-tenant scenarios implementation](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-oidc#1-1-4). The only noticeable breaking change is the removal of `SpringAddonsOidcProperties::getOpProperties`. This feature is now the responsibility of the newly introduced `OpenidProviderPropertiesResolver`. The default implementation resolves properties with an exact match on issuer (just as `getOpProperties` was doing). As usual, auto-configured bean backs-off if you expose one to use another properties resolving strategy.
-
-**Important warning for those using `@WithJwt` (and since `7.3.0`, `@WithMockJwtAuth`) but not `spring-addons-starter-oidc`**: you should expose your JWT converter as a bean. See [`spring-addons-oauth2-test` README](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-oauth2-test) for details.
-
 ## [OIDC starter](https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-oidc)
 
 With `spring-addons-starter-oidc`, you might need 0 Java conf, even in scenarios like:
diff --git a/release-notes.md b/release-notes.md
index fe7b079a9..2085a135e 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -2,6 +2,11 @@
 
 ## `7.x` Branch
 
+### `7.7.0`
+- [gh-213](https://github.com/ch4mpy/spring-addons/issues/213): native-images compatibility:
+  - add missing `@NestedConfigurationProperty` to `SpringAddonsOidcProperties#client` and `SpringAddonsOidcProperties#resourceserver`
+  - declare all other `@ConfigurationProperty` as nested classes of either `SpringAddonsOidcProperties`, `SpringAddonsOidcClientProperties` or `SpringAddonsOidcResourceServerProperties`
+
 ### `7.6.11`
 - Spring Boot `3.2.4`
 
diff --git a/samples/tutorials/resource-server_multitenant_dynamic/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java b/samples/tutorials/resource-server_multitenant_dynamic/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java
index d39315c10..f0c1e8371 100644
--- a/samples/tutorials/resource-server_multitenant_dynamic/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java
+++ b/samples/tutorials/resource-server_multitenant_dynamic/src/main/java/com/c4soft/springaddons/tutorials/WebSecurityConfig.java
@@ -11,8 +11,8 @@
 import org.springframework.util.StringUtils;
 
 import com.c4_soft.springaddons.security.oidc.starter.OpenidProviderPropertiesResolver;
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
 import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
 
 @Configuration
 @EnableMethodSecurity
diff --git a/samples/webmvc-jwt-default/src/main/java/com/c4_soft/springaddons/samples/webmvc_jwtauthenticationtoken/BasicAuthSecurityConfig.java b/samples/webmvc-jwt-default/src/main/java/com/c4_soft/springaddons/samples/webmvc_jwtauthenticationtoken/BasicAuthSecurityConfig.java
index 50f16f7b8..f3ddc4419 100644
--- a/samples/webmvc-jwt-default/src/main/java/com/c4_soft/springaddons/samples/webmvc_jwtauthenticationtoken/BasicAuthSecurityConfig.java
+++ b/samples/webmvc-jwt-default/src/main/java/com/c4_soft/springaddons/samples/webmvc_jwtauthenticationtoken/BasicAuthSecurityConfig.java
@@ -36,8 +36,8 @@
 import org.springframework.web.reactive.function.client.WebClient;
 import org.springframework.web.util.UriComponentsBuilder;
 
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
 import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
 import com.c4_soft.springaddons.security.oidc.starter.synchronised.ServletConfigurationSupport;
 import com.c4_soft.springaddons.security.oidc.starter.synchronised.resourceserver.ResourceServerExpressionInterceptUrlRegistryPostProcessor;
 import com.c4_soft.springaddons.security.oidc.starter.synchronised.resourceserver.ResourceServerSynchronizedHttpSecurityPostProcessor;
diff --git a/spring-addons-starter-oidc/README.MD b/spring-addons-starter-oidc/README.MD
index a94b20fb7..fdfce4cf8 100644
--- a/spring-addons-starter-oidc/README.MD
+++ b/spring-addons-starter-oidc/README.MD
@@ -4,7 +4,7 @@ This project is a Spring Boot starter to use in addition to `spring-boot-starter
 
 ```xml
     <properties>
-        <springaddons.version>7.6.11</springaddons.version>
+        <springaddons.version>7.7.0</springaddons.version>
     </properties>
     
     <dependencies>
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ByIssuerOpenidProviderPropertiesResolver.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ByIssuerOpenidProviderPropertiesResolver.java
index 6681cf011..207692565 100644
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ByIssuerOpenidProviderPropertiesResolver.java
+++ b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ByIssuerOpenidProviderPropertiesResolver.java
@@ -7,8 +7,8 @@
 
 import org.springframework.security.oauth2.jwt.JwtClaimNames;
 
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
 import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
 
 import lombok.RequiredArgsConstructor;
 
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableClaimSetAuthoritiesConverter.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableClaimSetAuthoritiesConverter.java
index f9075f142..214190cf6 100644
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableClaimSetAuthoritiesConverter.java
+++ b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableClaimSetAuthoritiesConverter.java
@@ -11,7 +11,7 @@
 import org.springframework.util.StringUtils;
 
 import com.c4_soft.springaddons.security.oidc.starter.properties.NotAConfiguredOpenidProviderException;
-import com.c4_soft.springaddons.security.oidc.starter.properties.SimpleAuthoritiesMappingProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties.SimpleAuthoritiesMappingProperties;
 import com.jayway.jsonpath.JsonPath;
 import com.jayway.jsonpath.PathNotFoundException;
 
@@ -22,8 +22,8 @@
  * Portable converter to extract Spring-security authorities from OAuth2 claims.
  * </p>
  * <p>
- * It relies on {@link OpenidProviderPropertiesResolver} to resolve the configuration properties for the provided claims (and throws if it is not resolved).
- * This properties enable to configure:
+ * It relies on {@link OpenidProviderPropertiesResolver} to resolve the configuration properties for the provided claims (and throws if it
+ * is not resolved). This properties enable to configure:
  * </p>
  * <ul>
  * <li>source claims (which claims to pick authorities from, dot.separated.path is supported)</li>
@@ -35,33 +35,33 @@
  */
 @RequiredArgsConstructor
 public class ConfigurableClaimSetAuthoritiesConverter implements ClaimSetAuthoritiesConverter {
-    private final OpenidProviderPropertiesResolver opPropertiesResolver;
+	private final OpenidProviderPropertiesResolver opPropertiesResolver;
 
-    @Override
-    public Collection<? extends GrantedAuthority> convert(@NonNull Map<String, Object> source) {
-        final var opProperties = opPropertiesResolver.resolve(source).orElseThrow(() -> new NotAConfiguredOpenidProviderException(source));
-        // @formatter:off
+	@Override
+	public Collection<? extends GrantedAuthority> convert(@NonNull Map<String, Object> source) {
+		final var opProperties = opPropertiesResolver.resolve(source).orElseThrow(() -> new NotAConfiguredOpenidProviderException(source));
+		// @formatter:off
 	    return opProperties.getAuthorities().stream()
 	            .flatMap(authoritiesMappingProps -> getAuthorities(source, authoritiesMappingProps))
 	            .map(r -> (GrantedAuthority) new SimpleGrantedAuthority(r)).toList();
 	    // @formatter:on
-    }
+	}
 
-    private static String processCase(String role, SimpleAuthoritiesMappingProperties.Case caze) {
-        switch (caze) {
-            case UPPER: {
-                return role.toUpperCase();
-            }
-            case LOWER: {
-                return role.toLowerCase();
-            }
-            default:
-                return role;
-        }
-    }
+	private static String processCase(String role, SimpleAuthoritiesMappingProperties.Case caze) {
+		switch (caze) {
+		case UPPER: {
+			return role.toUpperCase();
+		}
+		case LOWER: {
+			return role.toLowerCase();
+		}
+		default:
+			return role;
+		}
+	}
 
-    private static Stream<String> getAuthorities(Map<String, Object> claims, SimpleAuthoritiesMappingProperties props) {
-        // @formatter:off
+	private static Stream<String> getAuthorities(Map<String, Object> claims, SimpleAuthoritiesMappingProperties props) {
+		// @formatter:off
 	    return getClaims(claims, props.getPath())
 	    		.flatMap(claim -> Stream.of(claim.split(",")))
 	    		.flatMap(claim -> Stream.of(claim.split(" ")))
@@ -70,29 +70,29 @@ private static Stream<String> getAuthorities(Map<String, Object> claims, SimpleA
 	            .map(r -> processCase(r, props.getCaze()))
 	            .map(r -> String.format("%s%s", props.getPrefix(), r));
 	    // @formatter:on
-    }
+	}
 
-    @SuppressWarnings({ "rawtypes", "unchecked" })
-    private static Stream<String> getClaims(Map<String, Object> claims, String path) {
-        try {
-            final var res = JsonPath.read(claims, path);
-            if (res instanceof String r) {
-                return Stream.of(r);
-            }
-            if (res instanceof List l) {
-                if (l.size() == 0) {
-                    return Stream.empty();
-                }
-                if (l.get(0) instanceof String) {
-                    return l.stream();
-                }
-                if (l.get(0) instanceof List) {
-                    return l.stream().flatMap(o -> ((List) o).stream());
-                }
-            }
-            return Stream.empty();
-        } catch (PathNotFoundException e) {
-            return Stream.empty();
-        }
-    }
+	@SuppressWarnings({ "rawtypes", "unchecked" })
+	private static Stream<String> getClaims(Map<String, Object> claims, String path) {
+		try {
+			final var res = JsonPath.read(claims, path);
+			if (res instanceof String r) {
+				return Stream.of(r);
+			}
+			if (res instanceof List l) {
+				if (l.size() == 0) {
+					return Stream.empty();
+				}
+				if (l.get(0) instanceof String) {
+					return l.stream();
+				}
+				if (l.get(0) instanceof List) {
+					return l.stream().flatMap(o -> ((List) o).stream());
+				}
+			}
+			return Stream.empty();
+		} catch (PathNotFoundException e) {
+			return Stream.empty();
+		}
+	}
 }
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java
index b52db57c0..f2c14b8d0 100644
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java
+++ b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java
@@ -3,7 +3,7 @@
 import java.util.Map;
 import java.util.Optional;
 
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
 
 /**
  * Resolves OpenID Provider configuration properties from OAuth2 / OpenID claims (decoded from a JWT, introspected from an opaque token or
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java
deleted file mode 100644
index 8bf2972aa..000000000
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java
+++ /dev/null
@@ -1,48 +0,0 @@
-package com.c4_soft.springaddons.security.oidc.starter.properties;
-
-import java.net.URI;
-import java.util.List;
-
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
-
-import lombok.Data;
-
-/**
- * OpenID Providers configuration. A minimum of one issuer is required. <b>Properties defined here are a replacement for
- * spring.security.oauth2.resourceserver.jwt.*</b> (which will be ignored). Authorities mapping defined here is used by both client and resource server
- * filter-chains.
- *
- * @author Jerome Wacongne ch4mp&#64;c4-soft.com
- */
-@Data
-@ConfigurationProperties
-public class OpenidProviderProperties {
-    /**
-     * <p>
-     * Must be exactly the same as in access tokens (even trailing slash, if any, is important). In case of doubt, open one of your access tokens with a tool
-     * like <a href="https://jwt.io">https://jwt.io</a>.
-     * <p>
-     */
-    private URI iss;
-
-    /**
-     * Can be omitted if OpenID configuration can be retrieved from ${iss}/.well-known/openid-configuration
-     */
-    private URI jwkSetUri;
-
-    /**
-     * Can be omitted. Will insert an audience validator if not null or empty
-     */
-    private String aud;
-
-    /**
-     * Authorities mapping configuration, per claim
-     */
-    private List<SimpleAuthoritiesMappingProperties> authorities = List.of();
-
-    /**
-     * JSON path for the claim to use as "name" source
-     */
-    private String usernameClaim = StandardClaimNames.SUB;
-}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java
deleted file mode 100644
index 2c4399594..000000000
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java
+++ /dev/null
@@ -1,38 +0,0 @@
-package com.c4_soft.springaddons.security.oidc.starter.properties;
-
-import org.springframework.boot.context.properties.ConfigurationProperties;
-
-import com.c4_soft.springaddons.security.oidc.starter.ConfigurableClaimSetAuthoritiesConverter;
-
-import lombok.Data;
-
-/**
- * Configuration for {@link ConfigurableClaimSetAuthoritiesConverter}
- *
- * @author ch4mp
- */
-@Data
-@ConfigurationProperties
-public class SimpleAuthoritiesMappingProperties {
-    /**
-     * JSON path of the claim(s) to map with this properties
-     */
-    private String path = "$.realm_access.roles";
-
-    /**
-     * What to prefix authorities with (for instance "ROLE_" or "SCOPE_")
-     */
-    private String prefix = "";
-
-    /**
-     * Whether to transform authorities to uppercase, lowercase, or to leave it unchanged
-     */
-    private Case caze = Case.UNCHANGED;
-
-    public static enum Case {
-        UNCHANGED,
-        UPPER,
-        LOWER
-    }
-
-}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java
index 5469585be..67834049d 100644
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java
+++ b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java
@@ -1,15 +1,19 @@
 package com.c4_soft.springaddons.security.oidc.starter.properties;
 
+import java.net.URI;
 import java.util.List;
 
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.NestedConfigurationProperty;
+import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
 
 import lombok.Data;
 
 /**
  * <p>
- * Configuration properties for OAuth2 auto-configuration extensions to spring-boot-starter-oauth2-client and spring-boot-starter-oauth2-resource-server.
+ * Configuration properties for OAuth2 auto-configuration extensions to spring-boot-starter-oauth2-client and
+ * spring-boot-starter-oauth2-resource-server.
  * </p>
  * The following spring-boot standard properties are used:
  * <ul>
@@ -17,8 +21,8 @@
  * <li>spring.security.oauth2.client.registration.*</li>
  * <li>spring.security.oauth2.resourceserver.opaquetoken.*</li>
  * </ul>
- * <b>spring.security.oauth2.resourceserver.jwt.* properties are ignored.</b> The reason for that is it is applicable only to single tenant scenarios. Use
- * properties
+ * <b>spring.security.oauth2.resourceserver.jwt.* properties are ignored.</b> The reason for that is it is applicable only to single tenant
+ * scenarios. Use properties
  *
  * @author Jerome Wacongne ch4mp&#64;c4-soft.com
  */
@@ -27,27 +31,91 @@
 @ConfigurationProperties(prefix = "com.c4-soft.springaddons.oidc")
 public class SpringAddonsOidcProperties {
 
-    /**
-     * OpenID Providers configuration: JWK set URI, issuer URI, audience, and authorities mapping configuration for each issuer. A minimum of one issuer is
-     * required. <b>Properties defined here are a replacement for spring.security.oauth2.resourceserver.jwt.*</b> (which will be ignored). Authorities mapping
-     * defined there is used by both client and resource server filter-chains.
-     */
-    private List<OpenidProviderProperties> ops = List.of();
-
-    /**
-     * Auto-configuration for an OAuth2 client (secured with session, not access token) Security(Web)FilterChain with &#64;Order(Ordered.LOWEST_PRECEDENCE - 1).
-     * Typical use-cases are spring-cloud-gateway used as BFF and applications with Thymeleaf or another server-side rendering framework. Default configuration
-     * includes: enabled sessions, CSRF protection, "oauth2Login", "logout". securityMatchers must be set for this filter-chain &#64;Bean and its dependencies
-     * to be defined. <b>Properties defined here are a complement for spring.security.oauth2.client.*</b> (which are required when enabling spring-addons client
-     * filter-chain).
-     */
-    private SpringAddonsOidcClientProperties client = new SpringAddonsOidcClientProperties();
-
-    /**
-     * Auto-configuration for an OAuth2 resource server Security(Web)FilterChain with &#64;Order(LOWEST_PRECEDENCE). Typical use case is a REST API secured with
-     * access tokens. Default configuration is as follow: no securityMatcher to process all the requests that were not intercepted by higher &#64;Order
-     * Security(Web)FilterChains, no session, disabled CSRF protection, and 401 to unauthorized requests.
-     */
-    private SpringAddonsOidcResourceServerProperties resourceserver = new SpringAddonsOidcResourceServerProperties();
+	/**
+	 * OpenID Providers configuration: JWK set URI, issuer URI, audience, and authorities mapping configuration for each issuer. A minimum of
+	 * one issuer is required. <b>Properties defined here are a replacement for spring.security.oauth2.resourceserver.jwt.*</b> (which will be
+	 * ignored). Authorities mapping defined there is used by both client and resource server filter-chains.
+	 */
+	private List<OpenidProviderProperties> ops = List.of();
 
+	/**
+	 * Auto-configuration for an OAuth2 client (secured with session, not access token) Security(Web)FilterChain with
+	 * &#64;Order(Ordered.LOWEST_PRECEDENCE - 1). Typical use-cases are spring-cloud-gateway used as BFF and applications with Thymeleaf or
+	 * another server-side rendering framework. Default configuration includes: enabled sessions, CSRF protection, "oauth2Login", "logout".
+	 * securityMatchers must be set for this filter-chain &#64;Bean and its dependencies to be defined. <b>Properties defined here are a
+	 * complement for spring.security.oauth2.client.*</b> (which are required when enabling spring-addons client filter-chain).
+	 */
+	@NestedConfigurationProperty
+	private SpringAddonsOidcClientProperties client = new SpringAddonsOidcClientProperties();
+
+	/**
+	 * Auto-configuration for an OAuth2 resource server Security(Web)FilterChain with &#64;Order(LOWEST_PRECEDENCE). Typical use case is a REST
+	 * API secured with access tokens. Default configuration is as follow: no securityMatcher to process all the requests that were not
+	 * intercepted by higher &#64;Order Security(Web)FilterChains, no session, disabled CSRF protection, and 401 to unauthorized requests.
+	 */
+	@NestedConfigurationProperty
+	private SpringAddonsOidcResourceServerProperties resourceserver = new SpringAddonsOidcResourceServerProperties();
+
+	/**
+	 * OpenID Providers configuration. A minimum of one issuer is required. <b>Properties defined here are a replacement for
+	 * spring.security.oauth2.resourceserver.jwt.*</b> (which will be ignored). Authorities mapping defined here is used by both client and
+	 * resource server filter-chains.
+	 *
+	 * @author Jerome Wacongne ch4mp&#64;c4-soft.com
+	 */
+	@Data
+	@ConfigurationProperties
+	static public class OpenidProviderProperties {
+		/**
+		 * <p>
+		 * Must be exactly the same as in access tokens (even trailing slash, if any, is important). In case of doubt, open one of your access
+		 * tokens with a tool like <a href="https://jwt.io">https://jwt.io</a>.
+		 * <p>
+		 */
+		private URI iss;
+
+		/**
+		 * Can be omitted if OpenID configuration can be retrieved from ${iss}/.well-known/openid-configuration
+		 */
+		private URI jwkSetUri;
+
+		/**
+		 * Can be omitted. Will insert an audience validator if not null or empty
+		 */
+		private String aud;
+
+		/**
+		 * Authorities mapping configuration, per claim
+		 */
+		private List<SimpleAuthoritiesMappingProperties> authorities = List.of();
+
+		/**
+		 * JSON path for the claim to use as "name" source
+		 */
+		private String usernameClaim = StandardClaimNames.SUB;
+
+		@Data
+		@ConfigurationProperties
+		public static class SimpleAuthoritiesMappingProperties {
+			/**
+			 * JSON path of the claim(s) to map with this properties
+			 */
+			private String path = "$.realm_access.roles";
+
+			/**
+			 * What to prefix authorities with (for instance "ROLE_" or "SCOPE_")
+			 */
+			private String prefix = "";
+
+			/**
+			 * Whether to transform authorities to uppercase, lowercase, or to leave it unchanged
+			 */
+			private Case caze = Case.UNCHANGED;
+
+			public static enum Case {
+				UNCHANGED, UPPER, LOWER
+			}
+
+		}
+	}
 }
diff --git a/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java b/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java
index 68323edd6..89d746ea1 100644
--- a/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java
+++ b/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java
@@ -15,10 +15,10 @@
 import org.springframework.security.oauth2.jwt.JwtClaimNames;
 
 import com.c4_soft.springaddons.security.oidc.OpenidClaimSet;
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
-import com.c4_soft.springaddons.security.oidc.starter.properties.SimpleAuthoritiesMappingProperties;
-import com.c4_soft.springaddons.security.oidc.starter.properties.SimpleAuthoritiesMappingProperties.Case;
 import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties.SimpleAuthoritiesMappingProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties.SimpleAuthoritiesMappingProperties.Case;
 
 public class ConfigurableJwtGrantedAuthoritiesConverterTest {