Spring Boot Actuator not reporting HTTP trace information for requests to Spring Authorization Server OAuth2 endpoints

Question

I have an OAuth authorization server running with spring-security-oauth2-authorization-server 0.2.3. I have the Spring Boot Actuator endpoints enabled so that Spring Boot Admin can pull Actuator data from the application. I am able to view HTTP trace information, but the information only includes requests to the one custom endpoint that I mapped in a controller for my custom authorization consent page. There is no HTTP trace information being reported for requests made to the OAuth /authorize or /token endpoints. I have checked the Actuator HTTP trace responses in both Spring Boot Admin and by directly hitting the /httptrace Actuator endpoint on the application. I feel like this is a case of filter ordering, but I don't know enough about when/where Actuator HTTP trace data is captured in the request chain. How do I enable HTTP trace reporting for the OAuth endpoints implemented by the spring-security-oauth2-authorization-server library?

Answer 1

Posted an issue on the spring-authorization-server project board and got some help with a solution. Turns out that it is indeed a filter ordering problem. The fix is to declare an HttpTraceFilter bean with a higher precedence than the Spring Security filter chain by doing the following:

@Bean
HttpTraceFilter httpTraceFilter(final HttpTraceRepository repository, 
                                final HttpExchangeTracer tracer, 
                                final SecurityProperties securityProperties) {
    final HttpTraceFilter httpTraceFilter = new HttpTraceFilter(repository, tracer);
    httpTraceFilter.setOrder(securityProperties.getFilter().getOrder() - 1);

    return httpTraceFilter;
}

I'm leaving the issue on the Spring project open in hopes that this is incorporated in the library to provide functional tracing as default behavior.