Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Tree: 1f90df6a14
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
reactive
/
registered-oauth2-authorized-client.adoc

registered-oauth2-authorized-client.adoc 2.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. [[webflux-roac]]
    2. 

  2. = @RegisteredOAuth2AuthorizedClient
    3. 

  3. 

  4. Spring Security allows resolving an access token using `@RegisteredOAuth2AuthorizedClient`.
    5. 

  5. 

  6. [NOTE]
    7. 

  7. ====
    8. 

  8. A working example can be found in {gh-samples-url}/reactive/webflux/java/oauth2/webclient[*OAuth 2.0 WebClient WebFlux sample*].
    9. 

  9. ====
    10. 

  10. 

  11. After configuring Spring Security for xref:reactive/oauth2/login.adoc#webflux-oauth2-login[OAuth2 Login] or as an xref:reactive/oauth2/access-token.adoc#webflux-oauth2-client[OAuth2 Client], an `OAuth2AuthorizedClient` can be resolved using the following:
    12. 

  12. 

  13. ====
    14. 

  14. .Java
    15. 

  15. [source,java,role="primary"]
    16. 

  16. ----
    17. 

  17. @GetMapping("/explicit")
    18. 

  18. Mono<String> explicit(@RegisteredOAuth2AuthorizedClient("client-id") OAuth2AuthorizedClient authorizedClient) {
    19. 

  19. 	// ...
    20. 

  20. }
    21. 

  21. ----
    22. 

  22. 

  23. .Kotlin
    24. 

  24. [source,kotlin,role="secondary"]
    25. 

  25. ----
    26. 

  26. @GetMapping("/explicit")
    27. 

  27. fun explicit(@RegisteredOAuth2AuthorizedClient("client-id") authorizedClient: OAuth2AuthorizedClient?): Mono<String> {
    28. 

  28.     // ...
    29. 

  29. }
    30. 

  30. ----
    31. 

  31. ====
    32. 

  32. 

  33. This integrates into Spring Security to provide the following features:
    34. 

  34. 

  35. * Spring Security will automatically refresh expired tokens (if a refresh token is present)
    36. 

  36. * If an access token is requested and not present, Spring Security will automatically request the access token.
    37. 

  37. ** For `authorization_code` this involves performing the redirect and then replaying the original request
    38. 

  38. ** For `client_credentials` the token is simply requested and saved
    39. 

  39. 

  40. If the user authenticated using `oauth2Login()`, then the `client-id` is optional.
    41. 

  41. For example, the following would work:
    42. 

  42. 

  43. ====
    44. 

  44. .Java
    45. 

  45. [source,java,role="primary"]
    46. 

  46. ----
    47. 

  47. @GetMapping("/implicit")
    48. 

  48. Mono<String> implicit(@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient) {
    49. 

  49. 	// ...
    50. 

  50. }
    51. 

  51. ----
    52. 

  52. 

  53. .Kotlin
    54. 

  54. [source,kotlin,role="secondary"]
    55. 

  55. ----
    56. 

  56. @GetMapping("/implicit")
    57. 

  57. fun implicit(@RegisteredOAuth2AuthorizedClient authorizedClient: OAuth2AuthorizedClient?): Mono<String> {
    58. 

  58.     // ...
    59. 

  59. }
    60. 

  60. ----
    61. 

  61. ====
    62. 

  62. 

  63. This is convenient if the user always authenticates with OAuth2 Login and an access token from the same authorization server is needed.
    64.