|
@@ -1,5 +1,5 @@
|
|
|
/*
|
|
/*
|
|
|
- * Copyright 2002-2020 the original author or authors.
|
|
|
|
|
|
|
+ * Copyright 2002-2022 the original author or authors.
|
|
|
*
|
|
*
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
* you may not use this file except in compliance with the License.
|
|
* you may not use this file except in compliance with the License.
|
|
@@ -16,7 +16,6 @@
|
|
|
|
|
|
|
|
package org.springframework.security.oauth2.client.web.reactive.function.client;
|
|
package org.springframework.security.oauth2.client.web.reactive.function.client;
|
|
|
|
|
|
|
|
-import java.time.Duration;
|
|
|
|
|
import java.util.Collections;
|
|
import java.util.Collections;
|
|
|
import java.util.HashMap;
|
|
import java.util.HashMap;
|
|
|
import java.util.Map;
|
|
import java.util.Map;
|
|
@@ -38,18 +37,14 @@ import org.springframework.security.core.Authentication;
|
|
|
import org.springframework.security.core.authority.AuthorityUtils;
|
|
import org.springframework.security.core.authority.AuthorityUtils;
|
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
|
|
import org.springframework.security.oauth2.client.ClientAuthorizationException;
|
|
import org.springframework.security.oauth2.client.ClientAuthorizationException;
|
|
|
-import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
|
|
|
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler;
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler;
|
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
|
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
|
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
|
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
|
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
|
|
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
|
|
|
-import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
|
|
|
|
|
import org.springframework.security.oauth2.client.RemoveAuthorizedClientOAuth2AuthorizationFailureHandler;
|
|
import org.springframework.security.oauth2.client.RemoveAuthorizedClientOAuth2AuthorizationFailureHandler;
|
|
|
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
|
|
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
|
|
|
-import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
|
|
|
|
|
-import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
|
|
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
|
|
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
|
|
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
|
|
@@ -150,16 +145,8 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
|
|
|
private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous",
|
|
private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous",
|
|
|
"anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
|
|
"anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
|
|
|
|
|
|
|
|
- @Deprecated
|
|
|
|
|
- private Duration accessTokenExpiresSkew = Duration.ofMinutes(1);
|
|
|
|
|
-
|
|
|
|
|
- @Deprecated
|
|
|
|
|
- private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient;
|
|
|
|
|
-
|
|
|
|
|
private OAuth2AuthorizedClientManager authorizedClientManager;
|
|
private OAuth2AuthorizedClientManager authorizedClientManager;
|
|
|
|
|
|
|
|
- private boolean defaultAuthorizedClientManager;
|
|
|
|
|
-
|
|
|
|
|
private boolean defaultOAuth2AuthorizedClient;
|
|
private boolean defaultOAuth2AuthorizedClient;
|
|
|
|
|
|
|
|
private String defaultClientRegistrationId;
|
|
private String defaultClientRegistrationId;
|
|
@@ -224,7 +211,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
|
|
|
clientRegistrationRepository, authorizedClientRepository);
|
|
clientRegistrationRepository, authorizedClientRepository);
|
|
|
defaultAuthorizedClientManager.setAuthorizationFailureHandler(authorizationFailureHandler);
|
|
defaultAuthorizedClientManager.setAuthorizationFailureHandler(authorizationFailureHandler);
|
|
|
this.authorizedClientManager = defaultAuthorizedClientManager;
|
|
this.authorizedClientManager = defaultAuthorizedClientManager;
|
|
|
- this.defaultAuthorizedClientManager = true;
|
|
|
|
|
this.clientResponseHandler = new AuthorizationFailureForwarder(authorizationFailureHandler);
|
|
this.clientResponseHandler = new AuthorizationFailureForwarder(authorizationFailureHandler);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -235,52 +221,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
|
|
|
authorizedClientRepository.removeAuthorizedClient(clientRegistrationId, principal, request, response);
|
|
authorizedClientRepository.removeAuthorizedClient(clientRegistrationId, principal, request, response);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- /**
|
|
|
|
|
- * Sets the {@link OAuth2AccessTokenResponseClient} used for getting an
|
|
|
|
|
- * {@link OAuth2AuthorizedClient} for the client_credentials grant.
|
|
|
|
|
- * @param clientCredentialsTokenResponseClient the client to use
|
|
|
|
|
- * @deprecated Use
|
|
|
|
|
- * {@link #ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)}
|
|
|
|
|
- * instead. Create an instance of
|
|
|
|
|
- * {@link ClientCredentialsOAuth2AuthorizedClientProvider} configured with a
|
|
|
|
|
- * {@link ClientCredentialsOAuth2AuthorizedClientProvider#setAccessTokenResponseClient(OAuth2AccessTokenResponseClient)
|
|
|
|
|
- * DefaultClientCredentialsTokenResponseClient} (or a custom one) and than supply it
|
|
|
|
|
- * to
|
|
|
|
|
- * {@link DefaultOAuth2AuthorizedClientManager#setAuthorizedClientProvider(OAuth2AuthorizedClientProvider)
|
|
|
|
|
- * DefaultOAuth2AuthorizedClientManager}.
|
|
|
|
|
- */
|
|
|
|
|
- @Deprecated
|
|
|
|
|
- public void setClientCredentialsTokenResponseClient(
|
|
|
|
|
- OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient) {
|
|
|
|
|
- Assert.notNull(clientCredentialsTokenResponseClient, "clientCredentialsTokenResponseClient cannot be null");
|
|
|
|
|
- Assert.state(this.defaultAuthorizedClientManager,
|
|
|
|
|
- "The client cannot be set when the constructor used is \"ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)\". "
|
|
|
|
|
- + "Instead, use the constructor \"ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)\".");
|
|
|
|
|
- this.clientCredentialsTokenResponseClient = clientCredentialsTokenResponseClient;
|
|
|
|
|
- updateDefaultAuthorizedClientManager();
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- private void updateDefaultAuthorizedClientManager() {
|
|
|
|
|
- // @formatter:off
|
|
|
|
|
- OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
|
|
- .authorizationCode()
|
|
|
|
|
- .refreshToken((configurer) -> configurer.clockSkew(this.accessTokenExpiresSkew))
|
|
|
|
|
- .clientCredentials(this::updateClientCredentialsProvider)
|
|
|
|
|
- .password((configurer) -> configurer.clockSkew(this.accessTokenExpiresSkew))
|
|
|
|
|
- .build();
|
|
|
|
|
- // @formatter:on
|
|
|
|
|
- ((DefaultOAuth2AuthorizedClientManager) this.authorizedClientManager)
|
|
|
|
|
- .setAuthorizedClientProvider(authorizedClientProvider);
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- private void updateClientCredentialsProvider(
|
|
|
|
|
- OAuth2AuthorizedClientProviderBuilder.ClientCredentialsGrantBuilder builder) {
|
|
|
|
|
- if (this.clientCredentialsTokenResponseClient != null) {
|
|
|
|
|
- builder.accessTokenResponseClient(this.clientCredentialsTokenResponseClient);
|
|
|
|
|
- }
|
|
|
|
|
- builder.clockSkew(this.accessTokenExpiresSkew);
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* If true, a default {@link OAuth2AuthorizedClient} can be discovered from the
|
|
* If true, a default {@link OAuth2AuthorizedClient} can be discovered from the
|
|
|
* current Authentication. It is recommended to be cautious with this feature since
|
|
* current Authentication. It is recommended to be cautious with this feature since
|
|
@@ -393,27 +333,6 @@ public final class ServletOAuth2AuthorizedClientExchangeFilterFunction implement
|
|
|
return (attributes) -> attributes.put(HTTP_SERVLET_RESPONSE_ATTR_NAME, response);
|
|
return (attributes) -> attributes.put(HTTP_SERVLET_RESPONSE_ATTR_NAME, response);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- /**
|
|
|
|
|
- * An access token will be considered expired by comparing its expiration to now +
|
|
|
|
|
- * this skewed Duration. The default is 1 minute.
|
|
|
|
|
- * @param accessTokenExpiresSkew the Duration to use.
|
|
|
|
|
- * @deprecated The {@code accessTokenExpiresSkew} should be configured with the
|
|
|
|
|
- * specific {@link OAuth2AuthorizedClientProvider} implementation, e.g.
|
|
|
|
|
- * {@link ClientCredentialsOAuth2AuthorizedClientProvider#setClockSkew(Duration)
|
|
|
|
|
- * ClientCredentialsOAuth2AuthorizedClientProvider} or
|
|
|
|
|
- * {@link RefreshTokenOAuth2AuthorizedClientProvider#setClockSkew(Duration)
|
|
|
|
|
- * RefreshTokenOAuth2AuthorizedClientProvider}.
|
|
|
|
|
- */
|
|
|
|
|
- @Deprecated
|
|
|
|
|
- public void setAccessTokenExpiresSkew(Duration accessTokenExpiresSkew) {
|
|
|
|
|
- Assert.notNull(accessTokenExpiresSkew, "accessTokenExpiresSkew cannot be null");
|
|
|
|
|
- Assert.state(this.defaultAuthorizedClientManager,
|
|
|
|
|
- "The accessTokenExpiresSkew cannot be set when the constructor used is \"ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)\". "
|
|
|
|
|
- + "Instead, use the constructor \"ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)\".");
|
|
|
|
|
- this.accessTokenExpiresSkew = accessTokenExpiresSkew;
|
|
|
|
|
- updateDefaultAuthorizedClientManager();
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
/**
|
|
/**
|
|
|
* Sets the {@link OAuth2AuthorizationFailureHandler} that handles authentication and
|
|
* Sets the {@link OAuth2AuthorizationFailureHandler} that handles authentication and
|
|
|
* authorization failures when communicating to the OAuth 2.0 Resource Server.
|
|
* authorization failures when communicating to the OAuth 2.0 Resource Server.
|
Joe Grandja