|
|
@@ -1,596 +1,21 @@
|
|
|
-[[webflux-oauth2-client]]
|
|
|
-= OAuth 2.0 Client
|
|
|
-
|
|
|
-The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].
|
|
|
-
|
|
|
-At a high-level, the core features available are:
|
|
|
-
|
|
|
-.Authorization Grant support
|
|
|
-* https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code]
|
|
|
-* https://tools.ietf.org/html/rfc6749#section-6[Refresh Token]
|
|
|
-* https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials]
|
|
|
-* https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials]
|
|
|
-* https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[JWT Bearer]
|
|
|
-
|
|
|
-.Client Authentication support
|
|
|
-* https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer]
|
|
|
-
|
|
|
-.HTTP Client support
|
|
|
-* <<oauth2Client-webclient-webflux, `WebClient` integration for Reactive Environments>> (for requesting protected resources)
|
|
|
-
|
|
|
-The `ServerHttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.
|
|
|
-
|
|
|
-The following code shows the complete configuration options provided by the `ServerHttpSecurity.oauth2Client()` DSL:
|
|
|
-
|
|
|
-.OAuth2 Client Configuration Options
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@EnableWebFluxSecurity
|
|
|
-public class OAuth2ClientSecurityConfig {
|
|
|
-
|
|
|
- @Bean
|
|
|
- public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
|
|
|
- http
|
|
|
- .oauth2Client(oauth2 -> oauth2
|
|
|
- .clientRegistrationRepository(this.clientRegistrationRepository())
|
|
|
- .authorizedClientRepository(this.authorizedClientRepository())
|
|
|
- .authorizationRequestRepository(this.authorizationRequestRepository())
|
|
|
- .authenticationConverter(this.authenticationConverter())
|
|
|
- .authenticationManager(this.authenticationManager())
|
|
|
- );
|
|
|
-
|
|
|
- return http.build();
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@EnableWebFluxSecurity
|
|
|
-class OAuth2ClientSecurityConfig {
|
|
|
-
|
|
|
- @Bean
|
|
|
- fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
|
|
- http {
|
|
|
- oauth2Client {
|
|
|
- clientRegistrationRepository = clientRegistrationRepository()
|
|
|
- authorizedClientRepository = authorizedClientRepository()
|
|
|
- authorizationRequestRepository = authorizedRequestRepository()
|
|
|
- authenticationConverter = authenticationConverter()
|
|
|
- authenticationManager = authenticationManager()
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- return http.build()
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-The `ReactiveOAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `ReactiveOAuth2AuthorizedClientProvider`(s).
|
|
|
-
|
|
|
-The following code shows an example of how to register a `ReactiveOAuth2AuthorizedClientManager` `@Bean` and associate it with a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
|
|
- ReactiveClientRegistrationRepository clientRegistrationRepository,
|
|
|
- ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
|
|
|
-
|
|
|
- ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
|
|
- ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .authorizationCode()
|
|
|
- .refreshToken()
|
|
|
- .clientCredentials()
|
|
|
- .password()
|
|
|
- .build();
|
|
|
-
|
|
|
- DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
|
|
- new DefaultReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientRepository);
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
|
|
-
|
|
|
- return authorizedClientManager;
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun authorizedClientManager(
|
|
|
- clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
|
|
- authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
|
|
|
- val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .authorizationCode()
|
|
|
- .refreshToken()
|
|
|
- .clientCredentials()
|
|
|
- .password()
|
|
|
- .build()
|
|
|
- val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientRepository)
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
- return authorizedClientManager
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-The following sections will go into more detail on the core components used by OAuth 2.0 Client and the configuration options available:
|
|
|
-
|
|
|
-* <<oauth2Client-core-interface-class>>
|
|
|
-** <<oauth2Client-client-registration, ClientRegistration>>
|
|
|
-** <<oauth2Client-client-registration-repo, ReactiveClientRegistrationRepository>>
|
|
|
-** <<oauth2Client-authorized-client, OAuth2AuthorizedClient>>
|
|
|
-** <<oauth2Client-authorized-repo-service, ServerOAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService>>
|
|
|
-** <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager / ReactiveOAuth2AuthorizedClientProvider>>
|
|
|
-* <<oauth2Client-auth-grant-support>>
|
|
|
-** <<oauth2Client-auth-code-grant, Authorization Code>>
|
|
|
-** <<oauth2Client-refresh-token-grant, Refresh Token>>
|
|
|
-** <<oauth2Client-client-creds-grant, Client Credentials>>
|
|
|
-** <<oauth2Client-password-grant, Resource Owner Password Credentials>>
|
|
|
-** <<oauth2Client-jwt-bearer-grant, JWT Bearer>>
|
|
|
-* <<oauth2Client-client-auth-support>>
|
|
|
-** <<oauth2Client-jwt-bearer-auth, JWT Bearer>>
|
|
|
-* <<oauth2Client-additional-features>>
|
|
|
-** <<oauth2Client-registered-authorized-client, Resolving an Authorized Client>>
|
|
|
-* <<oauth2Client-webclient-webflux>>
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-core-interface-class]]
|
|
|
-== Core Interfaces / Classes
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-client-registration]]
|
|
|
-=== ClientRegistration
|
|
|
-
|
|
|
-`ClientRegistration` is a representation of a client registered with an OAuth 2.0 or OpenID Connect 1.0 Provider.
|
|
|
-
|
|
|
-A client registration holds information, such as client id, client secret, authorization grant type, redirect URI, scope(s), authorization URI, token URI, and other details.
|
|
|
-
|
|
|
-`ClientRegistration` and its properties are defined as follows:
|
|
|
-
|
|
|
-[source,java]
|
|
|
-----
|
|
|
-public final class ClientRegistration {
|
|
|
- private String registrationId; <1>
|
|
|
- private String clientId; <2>
|
|
|
- private String clientSecret; <3>
|
|
|
- private ClientAuthenticationMethod clientAuthenticationMethod; <4>
|
|
|
- private AuthorizationGrantType authorizationGrantType; <5>
|
|
|
- private String redirectUri; <6>
|
|
|
- private Set<String> scopes; <7>
|
|
|
- private ProviderDetails providerDetails;
|
|
|
- private String clientName; <8>
|
|
|
-
|
|
|
- public class ProviderDetails {
|
|
|
- private String authorizationUri; <9>
|
|
|
- private String tokenUri; <10>
|
|
|
- private UserInfoEndpoint userInfoEndpoint;
|
|
|
- private String jwkSetUri; <11>
|
|
|
- private String issuerUri; <12>
|
|
|
- private Map<String, Object> configurationMetadata; <13>
|
|
|
-
|
|
|
- public class UserInfoEndpoint {
|
|
|
- private String uri; <14>
|
|
|
- private AuthenticationMethod authenticationMethod; <15>
|
|
|
- private String userNameAttributeName; <16>
|
|
|
-
|
|
|
- }
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-<1> `registrationId`: The ID that uniquely identifies the `ClientRegistration`.
|
|
|
-<2> `clientId`: The client identifier.
|
|
|
-<3> `clientSecret`: The client secret.
|
|
|
-<4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider.
|
|
|
-The supported values are *client_secret_basic*, *client_secret_post*, *private_key_jwt*, *client_secret_jwt* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
|
|
|
-<5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
|
|
|
- The supported values are `authorization_code`, `client_credentials`, `password`, as well as, extension grant type `urn:ietf:params:oauth:grant-type:jwt-bearer`.
|
|
|
-<6> `redirectUri`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent
|
|
|
- to after the end-user has authenticated and authorized access to the client.
|
|
|
-<7> `scopes`: The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.
|
|
|
-<8> `clientName`: A descriptive name used for the client.
|
|
|
-The name may be used in certain scenarios, such as when displaying the name of the client in the auto-generated login page.
|
|
|
-<9> `authorizationUri`: The Authorization Endpoint URI for the Authorization Server.
|
|
|
-<10> `tokenUri`: The Token Endpoint URI for the Authorization Server.
|
|
|
-<11> `jwkSetUri`: The URI used to retrieve the https://tools.ietf.org/html/rfc7517[JSON Web Key (JWK)] Set from the Authorization Server,
|
|
|
- which contains the cryptographic key(s) used to verify the https://tools.ietf.org/html/rfc7515[JSON Web Signature (JWS)] of the ID Token and optionally the UserInfo Response.
|
|
|
-<12> `issuerUri`: Returns the issuer identifier uri for the OpenID Connect 1.0 provider or the OAuth 2.0 Authorization Server.
|
|
|
-<13> `configurationMetadata`: The https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[OpenID Provider Configuration Information].
|
|
|
- This information will only be available if the Spring Boot 2.x property `spring.security.oauth2.client.provider.[providerId].issuerUri` is configured.
|
|
|
-<14> `(userInfoEndpoint)uri`: The UserInfo Endpoint URI used to access the claims/attributes of the authenticated end-user.
|
|
|
-<15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
|
|
|
-The supported values are *header*, *form* and *query*.
|
|
|
-<16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
|
|
|
-
|
|
|
-A `ClientRegistration` can be initially configured using discovery of an OpenID Connect Provider's https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Configuration endpoint] or an Authorization Server's https://tools.ietf.org/html/rfc8414#section-3[Metadata endpoint].
|
|
|
-
|
|
|
-`ClientRegistrations` provides convenience methods for configuring a `ClientRegistration` in this way, as can be seen in the following example:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-ClientRegistration clientRegistration =
|
|
|
- ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-The above code will query in series `https://idp.example.com/issuer/.well-known/openid-configuration`, and then `https://idp.example.com/.well-known/openid-configuration/issuer`, and finally `https://idp.example.com/.well-known/oauth-authorization-server/issuer`, stopping at the first to return a 200 response.
|
|
|
-
|
|
|
-As an alternative, you can use `ClientRegistrations.fromOidcIssuerLocation()` to only query the OpenID Connect Provider's Configuration endpoint.
|
|
|
-
|
|
|
-[[oauth2Client-client-registration-repo]]
|
|
|
-=== ReactiveClientRegistrationRepository
|
|
|
-
|
|
|
-The `ReactiveClientRegistrationRepository` serves as a repository for OAuth 2.0 / OpenID Connect 1.0 `ClientRegistration`(s).
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-Client registration information is ultimately stored and owned by the associated Authorization Server.
|
|
|
-This repository provides the ability to retrieve a sub-set of the primary client registration information, which is stored with the Authorization Server.
|
|
|
-
|
|
|
-Spring Boot 2.x auto-configuration binds each of the properties under `spring.security.oauth2.client.registration._[registrationId]_` to an instance of `ClientRegistration` and then composes each of the `ClientRegistration` instance(s) within a `ReactiveClientRegistrationRepository`.
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-The default implementation of `ReactiveClientRegistrationRepository` is `InMemoryReactiveClientRegistrationRepository`.
|
|
|
-
|
|
|
-The auto-configuration also registers the `ReactiveClientRegistrationRepository` as a `@Bean` in the `ApplicationContext` so that it is available for dependency-injection, if needed by the application.
|
|
|
-
|
|
|
-The following listing shows an example:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Controller
|
|
|
-public class OAuth2ClientController {
|
|
|
-
|
|
|
- @Autowired
|
|
|
- private ReactiveClientRegistrationRepository clientRegistrationRepository;
|
|
|
-
|
|
|
- @GetMapping("/")
|
|
|
- public Mono<String> index() {
|
|
|
- return this.clientRegistrationRepository.findByRegistrationId("okta")
|
|
|
- ...
|
|
|
- .thenReturn("index");
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Controller
|
|
|
-class OAuth2ClientController {
|
|
|
-
|
|
|
- @Autowired
|
|
|
- private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
|
|
|
-
|
|
|
- @GetMapping("/")
|
|
|
- fun index(): Mono<String> {
|
|
|
- return this.clientRegistrationRepository.findByRegistrationId("okta")
|
|
|
- ...
|
|
|
- .thenReturn("index")
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-[[oauth2Client-authorized-client]]
|
|
|
-=== OAuth2AuthorizedClient
|
|
|
-
|
|
|
-`OAuth2AuthorizedClient` is a representation of an Authorized Client.
|
|
|
-A client is considered to be authorized when the end-user (Resource Owner) has granted authorization to the client to access its protected resources.
|
|
|
-
|
|
|
-`OAuth2AuthorizedClient` serves the purpose of associating an `OAuth2AccessToken` (and optional `OAuth2RefreshToken`) to a `ClientRegistration` (client) and resource owner, who is the `Principal` end-user that granted the authorization.
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-authorized-repo-service]]
|
|
|
-=== ServerOAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService
|
|
|
-
|
|
|
-`ServerOAuth2AuthorizedClientRepository` is responsible for persisting `OAuth2AuthorizedClient`(s) between web requests.
|
|
|
-Whereas, the primary role of `ReactiveOAuth2AuthorizedClientService` is to manage `OAuth2AuthorizedClient`(s) at the application-level.
|
|
|
-
|
|
|
-From a developer perspective, the `ServerOAuth2AuthorizedClientRepository` or `ReactiveOAuth2AuthorizedClientService` provides the capability to lookup an `OAuth2AccessToken` associated with a client so that it may be used to initiate a protected resource request.
|
|
|
-
|
|
|
-The following listing shows an example:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Controller
|
|
|
-public class OAuth2ClientController {
|
|
|
-
|
|
|
- @Autowired
|
|
|
- private ReactiveOAuth2AuthorizedClientService authorizedClientService;
|
|
|
-
|
|
|
- @GetMapping("/")
|
|
|
- public Mono<String> index(Authentication authentication) {
|
|
|
- return this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName())
|
|
|
- .map(OAuth2AuthorizedClient::getAccessToken)
|
|
|
- ...
|
|
|
- .thenReturn("index");
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Controller
|
|
|
-class OAuth2ClientController {
|
|
|
-
|
|
|
- @Autowired
|
|
|
- private lateinit var authorizedClientService: ReactiveOAuth2AuthorizedClientService
|
|
|
-
|
|
|
- @GetMapping("/")
|
|
|
- fun index(authentication: Authentication): Mono<String> {
|
|
|
- return this.authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>("okta", authentication.name)
|
|
|
- .map { it.accessToken }
|
|
|
- ...
|
|
|
- .thenReturn("index")
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-Spring Boot 2.x auto-configuration registers an `ServerOAuth2AuthorizedClientRepository` and/or `ReactiveOAuth2AuthorizedClientService` `@Bean` in the `ApplicationContext`.
|
|
|
-However, the application may choose to override and register a custom `ServerOAuth2AuthorizedClientRepository` or `ReactiveOAuth2AuthorizedClientService` `@Bean`.
|
|
|
-
|
|
|
-The default implementation of `ReactiveOAuth2AuthorizedClientService` is `InMemoryReactiveOAuth2AuthorizedClientService`, which stores `OAuth2AuthorizedClient`(s) in-memory.
|
|
|
-
|
|
|
-Alternatively, the R2DBC implementation `R2dbcReactiveOAuth2AuthorizedClientService` may be configured for persisting `OAuth2AuthorizedClient`(s) in a database.
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-`R2dbcReactiveOAuth2AuthorizedClientService` depends on the table definition described in xref:servlet/appendix/database-schema.adoc#dbschema-oauth2-client[ OAuth 2.0 Client Schema].
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-authorized-manager-provider]]
|
|
|
-=== ReactiveOAuth2AuthorizedClientManager / ReactiveOAuth2AuthorizedClientProvider
|
|
|
-
|
|
|
-The `ReactiveOAuth2AuthorizedClientManager` is responsible for the overall management of `OAuth2AuthorizedClient`(s).
|
|
|
-
|
|
|
-The primary responsibilities include:
|
|
|
-
|
|
|
-* Authorizing (or re-authorizing) an OAuth 2.0 Client, using a `ReactiveOAuth2AuthorizedClientProvider`.
|
|
|
-* Delegating the persistence of an `OAuth2AuthorizedClient`, typically using a `ReactiveOAuth2AuthorizedClientService` or `ServerOAuth2AuthorizedClientRepository`.
|
|
|
-* Delegating to a `ReactiveOAuth2AuthorizationSuccessHandler` when an OAuth 2.0 Client has been successfully authorized (or re-authorized).
|
|
|
-* Delegating to a `ReactiveOAuth2AuthorizationFailureHandler` when an OAuth 2.0 Client fails to authorize (or re-authorize).
|
|
|
-
|
|
|
-A `ReactiveOAuth2AuthorizedClientProvider` implements a strategy for authorizing (or re-authorizing) an OAuth 2.0 Client.
|
|
|
-Implementations will typically implement an authorization grant type, eg. `authorization_code`, `client_credentials`, etc.
|
|
|
-
|
|
|
-The default implementation of `ReactiveOAuth2AuthorizedClientManager` is `DefaultReactiveOAuth2AuthorizedClientManager`, which is associated with a `ReactiveOAuth2AuthorizedClientProvider` that may support multiple authorization grant types using a delegation-based composite.
|
|
|
-The `ReactiveOAuth2AuthorizedClientProviderBuilder` may be used to configure and build the delegation-based composite.
|
|
|
-
|
|
|
-The following code shows an example of how to configure and build a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
|
|
- ReactiveClientRegistrationRepository clientRegistrationRepository,
|
|
|
- ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
|
|
|
-
|
|
|
- ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
|
|
- ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .authorizationCode()
|
|
|
- .refreshToken()
|
|
|
- .clientCredentials()
|
|
|
- .password()
|
|
|
- .build();
|
|
|
-
|
|
|
- DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
|
|
- new DefaultReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientRepository);
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
|
|
-
|
|
|
- return authorizedClientManager;
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun authorizedClientManager(
|
|
|
- clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
|
|
- authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
|
|
|
- val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .authorizationCode()
|
|
|
- .refreshToken()
|
|
|
- .clientCredentials()
|
|
|
- .password()
|
|
|
- .build()
|
|
|
- val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientRepository)
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
- return authorizedClientManager
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-When an authorization attempt succeeds, the `DefaultReactiveOAuth2AuthorizedClientManager` will delegate to the `ReactiveOAuth2AuthorizationSuccessHandler`, which (by default) will save the `OAuth2AuthorizedClient` via the `ServerOAuth2AuthorizedClientRepository`.
|
|
|
-In the case of a re-authorization failure, eg. a refresh token is no longer valid, the previously saved `OAuth2AuthorizedClient` will be removed from the `ServerOAuth2AuthorizedClientRepository` via the `RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler`.
|
|
|
-The default behaviour may be customized via `setAuthorizationSuccessHandler(ReactiveOAuth2AuthorizationSuccessHandler)` and `setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)`.
|
|
|
-
|
|
|
-The `DefaultReactiveOAuth2AuthorizedClientManager` is also associated with a `contextAttributesMapper` of type `Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>>`, which is responsible for mapping attribute(s) from the `OAuth2AuthorizeRequest` to a `Map` of attributes to be associated to the `OAuth2AuthorizationContext`.
|
|
|
-This can be useful when you need to supply a `ReactiveOAuth2AuthorizedClientProvider` with required (supported) attribute(s), eg. the `PasswordReactiveOAuth2AuthorizedClientProvider` requires the resource owner's `username` and `password` to be available in `OAuth2AuthorizationContext.getAttributes()`.
|
|
|
-
|
|
|
-The following code shows an example of the `contextAttributesMapper`:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
|
|
- ReactiveClientRegistrationRepository clientRegistrationRepository,
|
|
|
- ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
|
|
|
-
|
|
|
- ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
|
|
- ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .password()
|
|
|
- .refreshToken()
|
|
|
- .build();
|
|
|
-
|
|
|
- DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
|
|
- new DefaultReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientRepository);
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
|
|
-
|
|
|
- // Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
|
|
|
- // map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
|
|
|
- authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
|
|
|
-
|
|
|
- return authorizedClientManager;
|
|
|
-}
|
|
|
-
|
|
|
-private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
|
|
|
- return authorizeRequest -> {
|
|
|
- Map<String, Object> contextAttributes = Collections.emptyMap();
|
|
|
- ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
|
|
|
- ServerHttpRequest request = exchange.getRequest();
|
|
|
- String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
|
|
|
- String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
|
|
|
- if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
|
|
|
- contextAttributes = new HashMap<>();
|
|
|
-
|
|
|
- // `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
|
|
|
- contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
|
|
|
- contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
|
|
|
- }
|
|
|
- return Mono.just(contextAttributes);
|
|
|
- };
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun authorizedClientManager(
|
|
|
- clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
|
|
- authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
|
|
|
- val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .password()
|
|
|
- .refreshToken()
|
|
|
- .build()
|
|
|
- val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientRepository)
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
-
|
|
|
- // Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
|
|
|
- // map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
|
|
|
- authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
|
|
|
- return authorizedClientManager
|
|
|
-}
|
|
|
-
|
|
|
-private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
|
|
|
- return Function { authorizeRequest ->
|
|
|
- var contextAttributes: MutableMap<String, Any> = mutableMapOf()
|
|
|
- val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
|
|
|
- val request: ServerHttpRequest = exchange.request
|
|
|
- val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
|
|
|
- val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
|
|
|
- if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
|
|
|
- contextAttributes = hashMapOf()
|
|
|
-
|
|
|
- // `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
|
|
|
- contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
|
|
|
- contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
|
|
|
- }
|
|
|
- Mono.just(contextAttributes)
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-The `DefaultReactiveOAuth2AuthorizedClientManager` is designed to be used *_within_* the context of a `ServerWebExchange`.
|
|
|
-When operating *_outside_* of a `ServerWebExchange` context, use `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` instead.
|
|
|
-
|
|
|
-A _service application_ is a common use case for when to use an `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager`.
|
|
|
-Service applications often run in the background, without any user interaction, and typically run under a system-level account instead of a user account.
|
|
|
-An OAuth 2.0 Client configured with the `client_credentials` grant type can be considered a type of service application.
|
|
|
-
|
|
|
-The following code shows an example of how to configure an `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` that provides support for the `client_credentials` grant type:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
|
|
- ReactiveClientRegistrationRepository clientRegistrationRepository,
|
|
|
- ReactiveOAuth2AuthorizedClientService authorizedClientService) {
|
|
|
-
|
|
|
- ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
|
|
- ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .clientCredentials()
|
|
|
- .build();
|
|
|
-
|
|
|
- AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
|
|
- new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientService);
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
|
|
-
|
|
|
- return authorizedClientManager;
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun authorizedClientManager(
|
|
|
- clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
|
|
- authorizedClientService: ReactiveOAuth2AuthorizedClientService): ReactiveOAuth2AuthorizedClientManager {
|
|
|
- val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
|
|
- .clientCredentials()
|
|
|
- .build()
|
|
|
- val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
|
|
|
- clientRegistrationRepository, authorizedClientService)
|
|
|
- authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
- return authorizedClientManager
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-
|
|
|
[[oauth2Client-auth-grant-support]]
|
|
|
-== Authorization Grant Support
|
|
|
+= Authorization Grant Support
|
|
|
|
|
|
|
|
|
[[oauth2Client-auth-code-grant]]
|
|
|
-=== Authorization Code
|
|
|
+== Authorization Code
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the OAuth 2.0 Authorization Framework for further details on the https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code] grant.
|
|
|
|
|
|
|
|
|
-==== Obtaining Authorization
|
|
|
+=== Obtaining Authorization
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the https://tools.ietf.org/html/rfc6749#section-4.1.1[Authorization Request/Response] protocol flow for the Authorization Code grant.
|
|
|
|
|
|
|
|
|
-==== Initiating the Authorization Request
|
|
|
+=== Initiating the Authorization Request
|
|
|
|
|
|
The `OAuth2AuthorizationRequestRedirectWebFilter` uses a `ServerOAuth2AuthorizationRequestResolver` to resolve an `OAuth2AuthorizationRequest` and initiate the Authorization Code grant flow by redirecting the end-user's user-agent to the Authorization Server's Authorization Endpoint.
|
|
|
|
|
|
@@ -671,7 +96,7 @@ spring:
|
|
|
Configuring the `redirect-uri` with `URI` template variables is especially useful when the OAuth 2.0 Client is running behind a xref:features/exploits/http.adoc#http-proxy-server[Proxy Server].
|
|
|
This ensures that the `X-Forwarded-*` headers are used when expanding the `redirect-uri`.
|
|
|
|
|
|
-==== Customizing the Authorization Request
|
|
|
+=== Customizing the Authorization Request
|
|
|
|
|
|
One of the primary use cases a `ServerOAuth2AuthorizationRequestResolver` can realize is the ability to customize the Authorization Request with additional parameters above the standard parameters defined in the OAuth 2.0 Authorization Framework.
|
|
|
|
|
|
@@ -818,7 +243,7 @@ private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationReques
|
|
|
====
|
|
|
|
|
|
|
|
|
-==== Storing the Authorization Request
|
|
|
+=== Storing the Authorization Request
|
|
|
|
|
|
The `ServerAuthorizationRequestRepository` is responsible for the persistence of the `OAuth2AuthorizationRequest` from the time the Authorization Request is initiated to the time the Authorization Response is received (the callback).
|
|
|
|
|
|
@@ -869,7 +294,7 @@ class OAuth2ClientSecurityConfig {
|
|
|
----
|
|
|
====
|
|
|
|
|
|
-==== Requesting an Access Token
|
|
|
+=== Requesting an Access Token
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the https://tools.ietf.org/html/rfc6749#section-4.1.3[Access Token Request/Response] protocol flow for the Authorization Code grant.
|
|
|
@@ -879,7 +304,7 @@ The default implementation of `ReactiveOAuth2AccessTokenResponseClient` for the
|
|
|
The `WebClientReactiveAuthorizationCodeTokenResponseClient` is quite flexible as it allows you to customize the pre-processing of the Token Request and/or post-handling of the Token Response.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Request
|
|
|
+=== Customizing the Access Token Request
|
|
|
|
|
|
If you need to customize the pre-processing of the Token Request, you can provide `WebClientReactiveAuthorizationCodeTokenResponseClient.setParametersConverter()` with a custom `Converter<OAuth2AuthorizationCodeGrantRequest, MultiValueMap<String, String>>`.
|
|
|
The default implementation builds a `MultiValueMap<String, String>` containing only the `grant_type` parameter of a standard https://tools.ietf.org/html/rfc6749#section-4.1.3[OAuth 2.0 Access Token Request] which is used to construct the request. Other parameters required by the Authorization Code grant are added directly to the body of the request by the `WebClientReactiveAuthorizationCodeTokenResponseClient`.
|
|
|
@@ -891,12 +316,12 @@ If you prefer to only add additional parameters, you can instead provide `WebCli
|
|
|
IMPORTANT: The custom `Converter` must return valid parameters of an OAuth 2.0 Access Token Request that is understood by the intended OAuth 2.0 Provider.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Response
|
|
|
+=== Customizing the Access Token Response
|
|
|
|
|
|
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `WebClientReactiveAuthorizationCodeTokenResponseClient.setBodyExtractor()` with a custom configured `BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>` that is used for converting the OAuth 2.0 Access Token Response to an `OAuth2AccessTokenResponse`.
|
|
|
The default implementation provided by `OAuth2BodyExtractors.oauth2AccessTokenResponse()` parses the response and handles errors accordingly.
|
|
|
|
|
|
-==== Customizing the `WebClient`
|
|
|
+=== Customizing the `WebClient`
|
|
|
|
|
|
Alternatively, if your requirements are more advanced, you can take full control of the request/response by simply providing `WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient()` with a custom configured `WebClient`.
|
|
|
|
|
|
@@ -959,13 +384,13 @@ class OAuth2ClientSecurityConfig {
|
|
|
|
|
|
|
|
|
[[oauth2Client-refresh-token-grant]]
|
|
|
-=== Refresh Token
|
|
|
+== Refresh Token
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the OAuth 2.0 Authorization Framework for further details on the https://tools.ietf.org/html/rfc6749#section-1.5[Refresh Token].
|
|
|
|
|
|
|
|
|
-==== Refreshing an Access Token
|
|
|
+=== Refreshing an Access Token
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the https://tools.ietf.org/html/rfc6749#section-6[Access Token Request/Response] protocol flow for the Refresh Token grant.
|
|
|
@@ -975,7 +400,7 @@ The default implementation of `ReactiveOAuth2AccessTokenResponseClient` for the
|
|
|
The `WebClientReactiveRefreshTokenTokenResponseClient` is quite flexible as it allows you to customize the pre-processing of the Token Request and/or post-handling of the Token Response.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Request
|
|
|
+=== Customizing the Access Token Request
|
|
|
|
|
|
If you need to customize the pre-processing of the Token Request, you can provide `WebClientReactiveRefreshTokenTokenResponseClient.setParametersConverter()` with a custom `Converter<OAuth2RefreshTokenGrantRequest, MultiValueMap<String, String>>`.
|
|
|
The default implementation builds a `MultiValueMap<String, String>` containing only the `grant_type` parameter of a standard https://tools.ietf.org/html/rfc6749#section-6[OAuth 2.0 Access Token Request] which is used to construct the request. Other parameters required by the Refresh Token grant are added directly to the body of the request by the `WebClientReactiveRefreshTokenTokenResponseClient`.
|
|
|
@@ -987,12 +412,12 @@ If you prefer to only add additional parameters, you can instead provide `WebCli
|
|
|
IMPORTANT: The custom `Converter` must return valid parameters of an OAuth 2.0 Access Token Request that is understood by the intended OAuth 2.0 Provider.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Response
|
|
|
+=== Customizing the Access Token Response
|
|
|
|
|
|
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `WebClientReactiveRefreshTokenTokenResponseClient.setBodyExtractor()` with a custom configured `BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>` that is used for converting the OAuth 2.0 Access Token Response to an `OAuth2AccessTokenResponse`.
|
|
|
The default implementation provided by `OAuth2BodyExtractors.oauth2AccessTokenResponse()` parses the response and handles errors accordingly.
|
|
|
|
|
|
-==== Customizing the `WebClient`
|
|
|
+=== Customizing the `WebClient`
|
|
|
|
|
|
Alternatively, if your requirements are more advanced, you can take full control of the request/response by simply providing `WebClientReactiveRefreshTokenTokenResponseClient.setWebClient()` with a custom configured `WebClient`.
|
|
|
|
|
|
@@ -1043,13 +468,13 @@ If the `OAuth2AuthorizedClient.getRefreshToken()` is available and the `OAuth2Au
|
|
|
|
|
|
|
|
|
[[oauth2Client-client-creds-grant]]
|
|
|
-=== Client Credentials
|
|
|
+== Client Credentials
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the OAuth 2.0 Authorization Framework for further details on the https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials] grant.
|
|
|
|
|
|
|
|
|
-==== Requesting an Access Token
|
|
|
+=== Requesting an Access Token
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the https://tools.ietf.org/html/rfc6749#section-4.4.2[Access Token Request/Response] protocol flow for the Client Credentials grant.
|
|
|
@@ -1059,7 +484,7 @@ The default implementation of `ReactiveOAuth2AccessTokenResponseClient` for the
|
|
|
The `WebClientReactiveClientCredentialsTokenResponseClient` is quite flexible as it allows you to customize the pre-processing of the Token Request and/or post-handling of the Token Response.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Request
|
|
|
+=== Customizing the Access Token Request
|
|
|
|
|
|
If you need to customize the pre-processing of the Token Request, you can provide `WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter()` with a custom `Converter<OAuth2ClientCredentialsGrantRequest, MultiValueMap<String, String>>`.
|
|
|
The default implementation builds a `MultiValueMap<String, String>` containing only the `grant_type` parameter of a standard https://tools.ietf.org/html/rfc6749#section-4.4.2[OAuth 2.0 Access Token Request] which is used to construct the request. Other parameters required by the Client Credentials grant are added directly to the body of the request by the `WebClientReactiveClientCredentialsTokenResponseClient`.
|
|
|
@@ -1071,12 +496,12 @@ If you prefer to only add additional parameters, you can instead provide `WebCli
|
|
|
IMPORTANT: The custom `Converter` must return valid parameters of an OAuth 2.0 Access Token Request that is understood by the intended OAuth 2.0 Provider.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Response
|
|
|
+=== Customizing the Access Token Response
|
|
|
|
|
|
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `WebClientReactiveClientCredentialsTokenResponseClient.setBodyExtractor()` with a custom configured `BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>` that is used for converting the OAuth 2.0 Access Token Response to an `OAuth2AccessTokenResponse`.
|
|
|
The default implementation provided by `OAuth2BodyExtractors.oauth2AccessTokenResponse()` parses the response and handles errors accordingly.
|
|
|
|
|
|
-==== Customizing the `WebClient`
|
|
|
+=== Customizing the `WebClient`
|
|
|
|
|
|
Alternatively, if your requirements are more advanced, you can take full control of the request/response by simply providing `WebClientReactiveClientCredentialsTokenResponseClient.setWebClient()` with a custom configured `WebClient`.
|
|
|
|
|
|
@@ -1119,7 +544,7 @@ authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
`ReactiveOAuth2AuthorizedClientProviderBuilder.builder().clientCredentials()` configures a `ClientCredentialsReactiveOAuth2AuthorizedClientProvider`,
|
|
|
which is an implementation of a `ReactiveOAuth2AuthorizedClientProvider` for the Client Credentials grant.
|
|
|
|
|
|
-==== Using the Access Token
|
|
|
+=== Using the Access Token
|
|
|
|
|
|
Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
|
|
|
|
|
@@ -1240,13 +665,13 @@ If not provided, it will be obtained from the https://projectreactor.io/docs/cor
|
|
|
|
|
|
|
|
|
[[oauth2Client-password-grant]]
|
|
|
-=== Resource Owner Password Credentials
|
|
|
+== Resource Owner Password Credentials
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the OAuth 2.0 Authorization Framework for further details on the https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials] grant.
|
|
|
|
|
|
|
|
|
-==== Requesting an Access Token
|
|
|
+=== Requesting an Access Token
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the https://tools.ietf.org/html/rfc6749#section-4.3.2[Access Token Request/Response] protocol flow for the Resource Owner Password Credentials grant.
|
|
|
@@ -1256,7 +681,7 @@ The default implementation of `ReactiveOAuth2AccessTokenResponseClient` for the
|
|
|
The `WebClientReactivePasswordTokenResponseClient` is quite flexible as it allows you to customize the pre-processing of the Token Request and/or post-handling of the Token Response.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Request
|
|
|
+=== Customizing the Access Token Request
|
|
|
|
|
|
If you need to customize the pre-processing of the Token Request, you can provide `WebClientReactivePasswordTokenResponseClient.setParametersConverter()` with a custom `Converter<OAuth2PasswordGrantRequest, MultiValueMap<String, String>>`.
|
|
|
The default implementation builds a `MultiValueMap<String, String>` containing only the `grant_type` parameter of a standard https://tools.ietf.org/html/rfc6749#section-4.4.2[OAuth 2.0 Access Token Request] which is used to construct the request. Other parameters required by the Resource Owner Password Credentials grant are added directly to the body of the request by the `WebClientReactivePasswordTokenResponseClient`.
|
|
|
@@ -1268,12 +693,12 @@ If you prefer to only add additional parameters, you can instead provide `WebCli
|
|
|
IMPORTANT: The custom `Converter` must return valid parameters of an OAuth 2.0 Access Token Request that is understood by the intended OAuth 2.0 Provider.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Response
|
|
|
+=== Customizing the Access Token Response
|
|
|
|
|
|
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `WebClientReactivePasswordTokenResponseClient.setBodyExtractor()` with a custom configured `BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>` that is used for converting the OAuth 2.0 Access Token Response to an `OAuth2AccessTokenResponse`.
|
|
|
The default implementation provided by `OAuth2BodyExtractors.oauth2AccessTokenResponse()` parses the response and handles errors accordingly.
|
|
|
|
|
|
-==== Customizing the `WebClient`
|
|
|
+=== Customizing the `WebClient`
|
|
|
|
|
|
Alternatively, if your requirements are more advanced, you can take full control of the request/response by simply providing `WebClientReactivePasswordTokenResponseClient.setWebClient()` with a custom configured `WebClient`.
|
|
|
|
|
|
@@ -1317,7 +742,7 @@ authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
`ReactiveOAuth2AuthorizedClientProviderBuilder.builder().password()` configures a `PasswordReactiveOAuth2AuthorizedClientProvider`,
|
|
|
which is an implementation of a `ReactiveOAuth2AuthorizedClientProvider` for the Resource Owner Password Credentials grant.
|
|
|
|
|
|
-==== Using the Access Token
|
|
|
+=== Using the Access Token
|
|
|
|
|
|
Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
|
|
|
|
|
@@ -1483,13 +908,13 @@ If not provided, it will be obtained from the https://projectreactor.io/docs/cor
|
|
|
|
|
|
|
|
|
[[oauth2Client-jwt-bearer-grant]]
|
|
|
-=== JWT Bearer
|
|
|
+== JWT Bearer
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants for further details on the https://datatracker.ietf.org/doc/html/rfc7523[JWT Bearer] grant.
|
|
|
|
|
|
|
|
|
-==== Requesting an Access Token
|
|
|
+=== Requesting an Access Token
|
|
|
|
|
|
[NOTE]
|
|
|
Please refer to the https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[Access Token Request/Response] protocol flow for the JWT Bearer grant.
|
|
|
@@ -1499,7 +924,7 @@ The default implementation of `ReactiveOAuth2AccessTokenResponseClient` for the
|
|
|
The `WebClientReactiveJwtBearerTokenResponseClient` is quite flexible as it allows you to customize the pre-processing of the Token Request and/or post-handling of the Token Response.
|
|
|
|
|
|
|
|
|
-==== Customizing the Access Token Request
|
|
|
+=== Customizing the Access Token Request
|
|
|
|
|
|
If you need to customize the pre-processing of the Token Request, you can provide `WebClientReactiveJwtBearerTokenResponseClient.setParametersConverter()` with a custom `Converter<JwtBearerGrantRequest, MultiValueMap<String, String>>`.
|
|
|
The default implementation builds a `MultiValueMap<String, String>` containing only the `grant_type` parameter of a standard https://tools.ietf.org/html/rfc6749#section-4.4.2[OAuth 2.0 Access Token Request] which is used to construct the request. Other parameters required by the JWT Bearer grant are added directly to the body of the request by the `WebClientReactiveJwtBearerTokenResponseClient`.
|
|
|
@@ -1510,12 +935,12 @@ If you prefer to only add additional parameters, you can instead provide `WebCli
|
|
|
|
|
|
IMPORTANT: The custom `Converter` must return valid parameters of an OAuth 2.0 Access Token Request that is understood by the intended OAuth 2.0 Provider.
|
|
|
|
|
|
-==== Customizing the Access Token Response
|
|
|
+=== Customizing the Access Token Response
|
|
|
|
|
|
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `WebClientReactiveJwtBearerTokenResponseClient.setBodyExtractor()` with a custom configured `BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>` that is used for converting the OAuth 2.0 Access Token Response to an `OAuth2AccessTokenResponse`.
|
|
|
The default implementation provided by `OAuth2BodyExtractors.oauth2AccessTokenResponse()` parses the response and handles errors accordingly.
|
|
|
|
|
|
-==== Customizing the `WebClient`
|
|
|
+=== Customizing the `WebClient`
|
|
|
|
|
|
Alternatively, if your requirements are more advanced, you can take full control of the request/response by simply providing `WebClientReactiveJwtBearerTokenResponseClient.setWebClient()` with a custom configured `WebClient`.
|
|
|
|
|
|
@@ -1560,7 +985,7 @@ authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
|
|
----
|
|
|
====
|
|
|
|
|
|
-==== Using the Access Token
|
|
|
+=== Using the Access Token
|
|
|
|
|
|
Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
|
|
|
|
|
@@ -1673,408 +1098,3 @@ class OAuth2ResourceServerController {
|
|
|
}
|
|
|
----
|
|
|
====
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-client-auth-support]]
|
|
|
-== Client Authentication Support
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-jwt-bearer-auth]]
|
|
|
-=== JWT Bearer
|
|
|
-
|
|
|
-[NOTE]
|
|
|
-Please refer to JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants for further details on https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer] Client Authentication.
|
|
|
-
|
|
|
-The default implementation for JWT Bearer Client Authentication is `NimbusJwtClientAuthenticationParametersConverter`,
|
|
|
-which is a `Converter` that customizes the Token Request parameters by adding
|
|
|
-a signed JSON Web Token (JWS) in the `client_assertion` parameter.
|
|
|
-
|
|
|
-The `java.security.PrivateKey` or `javax.crypto.SecretKey` used for signing the JWS
|
|
|
-is supplied by the `com.nimbusds.jose.jwk.JWK` resolver associated with `NimbusJwtClientAuthenticationParametersConverter`.
|
|
|
-
|
|
|
-
|
|
|
-==== Authenticate using `private_key_jwt`
|
|
|
-
|
|
|
-Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
|
|
-
|
|
|
-[source,yaml]
|
|
|
-----
|
|
|
-spring:
|
|
|
- security:
|
|
|
- oauth2:
|
|
|
- client:
|
|
|
- registration:
|
|
|
- okta:
|
|
|
- client-id: okta-client-id
|
|
|
- client-authentication-method: private_key_jwt
|
|
|
- authorization-grant-type: authorization_code
|
|
|
- ...
|
|
|
-----
|
|
|
-
|
|
|
-The following example shows how to configure `WebClientReactiveAuthorizationCodeTokenResponseClient`:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
|
|
|
- if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
|
|
|
- // Assuming RSA key type
|
|
|
- RSAPublicKey publicKey = ...
|
|
|
- RSAPrivateKey privateKey = ...
|
|
|
- return new RSAKey.Builder(publicKey)
|
|
|
- .privateKey(privateKey)
|
|
|
- .keyID(UUID.randomUUID().toString())
|
|
|
- .build();
|
|
|
- }
|
|
|
- return null;
|
|
|
-};
|
|
|
-
|
|
|
-WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
|
|
|
- new WebClientReactiveAuthorizationCodeTokenResponseClient();
|
|
|
-tokenResponseClient.addParametersConverter(
|
|
|
- new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-val jwkResolver: Function<ClientRegistration, JWK> =
|
|
|
- Function<ClientRegistration, JWK> { clientRegistration ->
|
|
|
- if (clientRegistration.clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
|
|
|
- // Assuming RSA key type
|
|
|
- var publicKey: RSAPublicKey = ...
|
|
|
- var privateKey: RSAPrivateKey = ...
|
|
|
- RSAKey.Builder(publicKey)
|
|
|
- .privateKey(privateKey)
|
|
|
- .keyID(UUID.randomUUID().toString())
|
|
|
- .build()
|
|
|
- }
|
|
|
- null
|
|
|
- }
|
|
|
-
|
|
|
-val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
|
|
|
-tokenResponseClient.addParametersConverter(
|
|
|
- NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
|
|
|
-)
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-
|
|
|
-==== Authenticate using `client_secret_jwt`
|
|
|
-
|
|
|
-Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
|
|
-
|
|
|
-[source,yaml]
|
|
|
-----
|
|
|
-spring:
|
|
|
- security:
|
|
|
- oauth2:
|
|
|
- client:
|
|
|
- registration:
|
|
|
- okta:
|
|
|
- client-id: okta-client-id
|
|
|
- client-secret: okta-client-secret
|
|
|
- client-authentication-method: client_secret_jwt
|
|
|
- authorization-grant-type: client_credentials
|
|
|
- ...
|
|
|
-----
|
|
|
-
|
|
|
-The following example shows how to configure `WebClientReactiveClientCredentialsTokenResponseClient`:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
|
|
|
- if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
|
|
|
- SecretKeySpec secretKey = new SecretKeySpec(
|
|
|
- clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
|
|
|
- "HmacSHA256");
|
|
|
- return new OctetSequenceKey.Builder(secretKey)
|
|
|
- .keyID(UUID.randomUUID().toString())
|
|
|
- .build();
|
|
|
- }
|
|
|
- return null;
|
|
|
-};
|
|
|
-
|
|
|
-WebClientReactiveClientCredentialsTokenResponseClient tokenResponseClient =
|
|
|
- new WebClientReactiveClientCredentialsTokenResponseClient();
|
|
|
-tokenResponseClient.addParametersConverter(
|
|
|
- new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-val jwkResolver = Function<ClientRegistration, JWK?> { clientRegistration: ClientRegistration ->
|
|
|
- if (clientRegistration.clientAuthenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_JWT) {
|
|
|
- val secretKey = SecretKeySpec(
|
|
|
- clientRegistration.clientSecret.toByteArray(StandardCharsets.UTF_8),
|
|
|
- "HmacSHA256"
|
|
|
- )
|
|
|
- OctetSequenceKey.Builder(secretKey)
|
|
|
- .keyID(UUID.randomUUID().toString())
|
|
|
- .build()
|
|
|
- }
|
|
|
- null
|
|
|
-}
|
|
|
-
|
|
|
-val tokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
|
|
|
-tokenResponseClient.addParametersConverter(
|
|
|
- NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
|
|
|
-)
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-additional-features]]
|
|
|
-== Additional Features
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-registered-authorized-client]]
|
|
|
-=== Resolving an Authorized Client
|
|
|
-
|
|
|
-The `@RegisteredOAuth2AuthorizedClient` annotation provides the capability of resolving a method parameter to an argument value of type `OAuth2AuthorizedClient`.
|
|
|
-This is a convenient alternative compared to accessing the `OAuth2AuthorizedClient` using the `ReactiveOAuth2AuthorizedClientManager` or `ReactiveOAuth2AuthorizedClientService`.
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Controller
|
|
|
-public class OAuth2ClientController {
|
|
|
-
|
|
|
- @GetMapping("/")
|
|
|
- public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
|
|
|
- return Mono.just(authorizedClient.getAccessToken())
|
|
|
- ...
|
|
|
- .thenReturn("index");
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Controller
|
|
|
-class OAuth2ClientController {
|
|
|
- @GetMapping("/")
|
|
|
- fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
|
|
|
- return Mono.just(authorizedClient.accessToken)
|
|
|
- ...
|
|
|
- .thenReturn("index")
|
|
|
- }
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-The `@RegisteredOAuth2AuthorizedClient` annotation is handled by `OAuth2AuthorizedClientArgumentResolver`, which directly uses a <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits it's capabilities.
|
|
|
-
|
|
|
-
|
|
|
-[[oauth2Client-webclient-webflux]]
|
|
|
-== WebClient integration for Reactive Environments
|
|
|
-
|
|
|
-The OAuth 2.0 Client support integrates with `WebClient` using an `ExchangeFilterFunction`.
|
|
|
-
|
|
|
-The `ServerOAuth2AuthorizedClientExchangeFilterFunction` provides a simple mechanism for requesting protected resources by using an `OAuth2AuthorizedClient` and including the associated `OAuth2AccessToken` as a Bearer Token.
|
|
|
-It directly uses an <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits the following capabilities:
|
|
|
-
|
|
|
-* An `OAuth2AccessToken` will be requested if the client has not yet been authorized.
|
|
|
-** `authorization_code` - triggers the Authorization Request redirect to initiate the flow
|
|
|
-** `client_credentials` - the access token is obtained directly from the Token Endpoint
|
|
|
-** `password` - the access token is obtained directly from the Token Endpoint
|
|
|
-* If the `OAuth2AccessToken` is expired, it will be refreshed (or renewed) if a `ReactiveOAuth2AuthorizedClientProvider` is available to perform the authorization
|
|
|
-
|
|
|
-The following code shows an example of how to configure `WebClient` with OAuth 2.0 Client support:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
|
|
|
- ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
|
|
|
- new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
|
|
|
- return WebClient.builder()
|
|
|
- .filter(oauth2Client)
|
|
|
- .build();
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
|
|
|
- val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
|
|
|
- return WebClient.builder()
|
|
|
- .filter(oauth2Client)
|
|
|
- .build()
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-=== Providing the Authorized Client
|
|
|
-
|
|
|
-The `ServerOAuth2AuthorizedClientExchangeFilterFunction` determines the client to use (for a request) by resolving the `OAuth2AuthorizedClient` from the `ClientRequest.attributes()` (request attributes).
|
|
|
-
|
|
|
-The following code shows how to set an `OAuth2AuthorizedClient` as a request attribute:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@GetMapping("/")
|
|
|
-public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
|
|
|
- String resourceUri = ...
|
|
|
-
|
|
|
- return webClient
|
|
|
- .get()
|
|
|
- .uri(resourceUri)
|
|
|
- .attributes(oauth2AuthorizedClient(authorizedClient)) <1>
|
|
|
- .retrieve()
|
|
|
- .bodyToMono(String.class)
|
|
|
- ...
|
|
|
- .thenReturn("index");
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@GetMapping("/")
|
|
|
-fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
|
|
|
- val resourceUri: String = ...
|
|
|
-
|
|
|
- return webClient
|
|
|
- .get()
|
|
|
- .uri(resourceUri)
|
|
|
- .attributes(oauth2AuthorizedClient(authorizedClient)) <1>
|
|
|
- .retrieve()
|
|
|
- .bodyToMono<String>()
|
|
|
- ...
|
|
|
- .thenReturn("index")
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-<1> `oauth2AuthorizedClient()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
|
|
|
-
|
|
|
-The following code shows how to set the `ClientRegistration.getRegistrationId()` as a request attribute:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@GetMapping("/")
|
|
|
-public Mono<String> index() {
|
|
|
- String resourceUri = ...
|
|
|
-
|
|
|
- return webClient
|
|
|
- .get()
|
|
|
- .uri(resourceUri)
|
|
|
- .attributes(clientRegistrationId("okta")) <1>
|
|
|
- .retrieve()
|
|
|
- .bodyToMono(String.class)
|
|
|
- ...
|
|
|
- .thenReturn("index");
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@GetMapping("/")
|
|
|
-fun index(): Mono<String> {
|
|
|
- val resourceUri: String = ...
|
|
|
-
|
|
|
- return webClient
|
|
|
- .get()
|
|
|
- .uri(resourceUri)
|
|
|
- .attributes(clientRegistrationId("okta")) <1>
|
|
|
- .retrieve()
|
|
|
- .bodyToMono<String>()
|
|
|
- ...
|
|
|
- .thenReturn("index")
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-<1> `clientRegistrationId()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
|
|
|
-
|
|
|
-
|
|
|
-=== Defaulting the Authorized Client
|
|
|
-
|
|
|
-If neither `OAuth2AuthorizedClient` or `ClientRegistration.getRegistrationId()` is provided as a request attribute, the `ServerOAuth2AuthorizedClientExchangeFilterFunction` can determine the _default_ client to use depending on it's configuration.
|
|
|
-
|
|
|
-If `setDefaultOAuth2AuthorizedClient(true)` is configured and the user has authenticated using `ServerHttpSecurity.oauth2Login()`, the `OAuth2AccessToken` associated with the current `OAuth2AuthenticationToken` is used.
|
|
|
-
|
|
|
-The following code shows the specific configuration:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
|
|
|
- ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
|
|
|
- new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
|
|
|
- oauth2Client.setDefaultOAuth2AuthorizedClient(true);
|
|
|
- return WebClient.builder()
|
|
|
- .filter(oauth2Client)
|
|
|
- .build();
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
|
|
|
- val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
|
|
|
- oauth2Client.setDefaultOAuth2AuthorizedClient(true)
|
|
|
- return WebClient.builder()
|
|
|
- .filter(oauth2Client)
|
|
|
- .build()
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-[WARNING]
|
|
|
-It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
|
|
|
-
|
|
|
-Alternatively, if `setDefaultClientRegistrationId("okta")` is configured with a valid `ClientRegistration`, the `OAuth2AccessToken` associated with the `OAuth2AuthorizedClient` is used.
|
|
|
-
|
|
|
-The following code shows the specific configuration:
|
|
|
-
|
|
|
-====
|
|
|
-.Java
|
|
|
-[source,java,role="primary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
|
|
|
- ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
|
|
|
- new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
|
|
|
- oauth2Client.setDefaultClientRegistrationId("okta");
|
|
|
- return WebClient.builder()
|
|
|
- .filter(oauth2Client)
|
|
|
- .build();
|
|
|
-}
|
|
|
-----
|
|
|
-
|
|
|
-.Kotlin
|
|
|
-[source,kotlin,role="secondary"]
|
|
|
-----
|
|
|
-@Bean
|
|
|
-fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
|
|
|
- val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
|
|
|
- oauth2Client.setDefaultClientRegistrationId("okta")
|
|
|
- return WebClient.builder()
|
|
|
- .filter(oauth2Client)
|
|
|
- .build()
|
|
|
-}
|
|
|
-----
|
|
|
-====
|
|
|
-
|
|
|
-[WARNING]
|
|
|
-It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
|
Josh Cummings