Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Tree: 56e757a2a1
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
partials
/
reactive
/
oauth2
/
client
/
web-client-access-token-response-client.adoc

web-client-access-token-response-client.adoc 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334 
  1. To customize `{class-name}`, simply provide a bean as in the following example and it will be picked up by the default `ReactiveOAuth2AuthorizedClientManager` automatically:
    2. 

  2. 

  3. [#oauth2-client-{section-id}-access-token-response-client-bean]
    4. 

  4. .Access Token Response Configuration
    5. 

  5. [tabs]
    6. 

  6. ======
    7. 

  7. Java::
    8. 

  8. +
    9. 

  9. [source,java,role="primary",subs="+attributes"]
    10. 

  10. ----
    11. 

  11. @Bean
    12. 

  12. public ReactiveOAuth2AccessTokenResponseClient<{grant-request}> accessTokenResponseClient() {
    13. 

  13. 	{class-name} accessTokenResponseClient =
    14. 

  14. 		new {class-name}();
    15. 

  15. 	// ...
    16. 

  16. 	return accessTokenResponseClient;
    17. 

  17. }
    18. 

  18. ----
    19. 

  19. 

  20. Kotlin::
    21. 

  21. +
    22. 

  22. [source,kotlin,role="secondary",subs="+attributes"]
    23. 

  23. ----
    24. 

  24. @Bean
    25. 

  25. fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<{grant-type}> {
    26. 

  26. 	val accessTokenResponseClient = {class-name}()
    27. 

  27. 	// ...
    28. 

  28. 	return accessTokenResponseClient
    29. 

  29. }
    30. 

  30. ----
    31. 

  31. ======
    32. 

  32. 

  33. `{class-name}` is very flexible and provides several options for customizing the OAuth 2.0 Access Token request and response for the {grant-type} grant.
    34. 

  34. Choose from the following use cases to learn more:
    35. 

  35. 

  36. * I want to <<oauth2-client-{section-id}-access-token-request-headers,customize headers of the Access Token request>>
    37. 

  37. * I want to <<oauth2-client-{section-id}-access-token-request-parameters,customize parameters of the Access Token request>>
    38. 

  38. * I want to <<oauth2-client-{section-id}-access-token-response-parameters,customize parameters of the Access Token response>>
    39. 

  39. * I want to <<oauth2-client-{section-id}-access-token-response-web-client,customize the instance of `WebClient` that is used>>
    40. 

  40. 

  41. [#oauth2-client-{section-id}-access-token-request]
    42. 

  42. == Customizing the Access Token Request
    43. 

  43. 

  44. `{class-name}` provides hooks for customizing HTTP headers and request parameters of the Token Request.
    45. 

  45. 

  46. [#oauth2-client-{section-id}-access-token-request-headers]
    47. 

  47. === Customizing Request Headers
    48. 

  48. 

  49. There are two options for customizing HTTP headers:
    50. 

  50. 

  51. * Add additional headers by calling `addHeadersConverter()`
    52. 

  52. * Fully customize headers by calling `setHeadersConverter()`
    53. 

  53. 

  54. You can include additional headers without affecting the default headers added to every request using `addHeadersConverter()`.
    55. 

  55. The following example adds a `User-Agent` header to the request when the `registrationId` is `spring`:
    56. 

  56. 

  57. .Include Additional HTTP Headers
    58. 

  58. [tabs]
    59. 

  59. ======
    60. 

  60. Java::
    61. 

  61. +
    62. 

  62. [source,java,role="primary",subs="+attributes"]
    63. 

  63. ----
    64. 

  64. {class-name} accessTokenResponseClient =
    65. 

  65. 	new {class-name}();
    66. 

  66. accessTokenResponseClient.addHeadersConverter(grantRequest -> {
    67. 

  67. 	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
    68. 

  68. 	HttpHeaders headers = new HttpHeaders();
    69. 

  69. 	if (clientRegistration.getRegistrationId().equals("spring")) {
    70. 

  70. 		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
    71. 

  71. 	}
    72. 

  72. 	return headers;
    73. 

  73. });
    74. 

  74. ----
    75. 

  75. 

  76. Kotlin::
    77. 

  77. +
    78. 

  78. [source,kotlin,role="secondary",subs="+attributes"]
    79. 

  79. ----
    80. 

  80. val accessTokenResponseClient = {class-name}()
    81. 

  81. accessTokenResponseClient.addHeadersConverter { grantRequest ->
    82. 

  82. 	val clientRegistration = grantRequest.getClientRegistration()
    83. 

  83. 	val headers = HttpHeaders()
    84. 

  84. 	if (clientRegistration.getRegistrationId() == "spring") {
    85. 

  85.         headers[HttpHeaders.USER_AGENT] = "my-user-agent"
    86. 

  86. 	}
    87. 

  87. 	headers
    88. 

  88. }
    89. 

  89. ----
    90. 

  90. ======
    91. 

  91. 

  92. You can fully customize headers by re-using `DefaultOAuth2TokenRequestHeadersConverter` or providing a custom implementation using `setHeadersConverter()`.
    93. 

  93. The following example re-uses `DefaultOAuth2TokenRequestHeadersConverter` and disables `encodeClientCredentials` so that HTTP Basic credentials are no longer encoded with `application/x-www-form-urlencoded`:
    94. 

  94. 

  95. .Customize HTTP Headers
    96. 

  96. [tabs]
    97. 

  97. ======
    98. 

  98. Java::
    99. 

  99. +
    100. 

  100. [source,java,role="primary",subs="+attributes"]
    101. 

  101. ----
    102. 

  102. DefaultOAuth2TokenRequestHeadersConverter headersConverter =
    103. 

  103. 	new DefaultOAuth2TokenRequestHeadersConverter();
    104. 

  104. headersConverter.setEncodeClientCredentials(false);
    105. 

  105. 

  106. {class-name} accessTokenResponseClient =
    107. 

  107. 	new {class-name}();
    108. 

  108. accessTokenResponseClient.setHeadersConverter(headersConverter);
    109. 

  109. ----
    110. 

  110. 

  111. Kotlin::
    112. 

  112. +
    113. 

  113. [source,kotlin,role="secondary",subs="+attributes"]
    114. 

  114. ----
    115. 

  115. val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
    116. 

  116. headersConverter.setEncodeClientCredentials(false)
    117. 

  117. 

  118. val accessTokenResponseClient = {class-name}()
    119. 

  119. accessTokenResponseClient.setHeadersConverter(headersConverter)
    120. 

  120. ----
    121. 

  121. ======
    122. 

  122. 

  123. [#oauth2-client-{section-id}-access-token-request-parameters]
    124. 

  124. === Customizing Request Parameters
    125. 

  125. 

  126. There are three options for customizing request parameters:
    127. 

  127. 

  128. * Add additional parameters by calling `addParametersConverter()`
    129. 

  129. * Override parameters by calling `setParametersConverter()`
    130. 

  130. * Fully customize parameters by calling `setParametersCustomizer()`
    131. 

  131. 

  132. [NOTE]
    133. 

  133. ====
    134. 

  134. Using `setParametersConverter()` does not fully customize parameters because it would require the user to provide all default parameters themselves.
    135. 

  135. Default parameters are always provided, but can be fully customized or omitted by calling `setParametersCustomizer()`.
    136. 

  136. ====
    137. 

  137. 

  138. You can include additional parameters without affecting the default parameters added to every request using `addParametersConverter()`.
    139. 

  139. The following example adds an `audience` parameter to the request when the `registrationId` is `keycloak`:
    140. 

  140. 

  141. .Include Additional Request Parameters
    142. 

  142. [tabs]
    143. 

  143. ======
    144. 

  144. Java::
    145. 

  145. +
    146. 

  146. [source,java,role="primary",subs="+attributes"]
    147. 

  147. ----
    148. 

  148. {class-name} accessTokenResponseClient =
    149. 

  149. 	new {class-name}();
    150. 

  150. accessTokenResponseClient.addParametersConverter(grantRequest -> {
    151. 

  151. 	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
    152. 

  152. 	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
    153. 

  153. 	if (clientRegistration.getRegistrationId().equals("keycloak")) {
    154. 

  154. 		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
    155. 

  155. 	}
    156. 

  156. 	return parameters;
    157. 

  157. });
    158. 

  158. ----
    159. 

  159. 

  160. Kotlin::
    161. 

  161. +
    162. 

  162. [source,kotlin,role="secondary",subs="+attributes"]
    163. 

  163. ----
    164. 

  164. val accessTokenResponseClient = {class-name}()
    165. 

  165. accessTokenResponseClient.addParametersConverter { grantRequest ->
    166. 

  166. 	val clientRegistration = grantRequest.getClientRegistration()
    167. 

  167. 	val parameters = LinkedMultiValueMap<String, String>()
    168. 

  168. 	if (clientRegistration.getRegistrationId() == "keycloak") {
    169. 

  169.         parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
    170. 

  170. 	}
    171. 

  171. 	parameters
    172. 

  172. }
    173. 

  173. ----
    174. 

  174. ======
    175. 

  175. 

  176. You can override default parameters using `setParametersConverter()`.
    177. 

  177. The following example overrides the `client_id` parameter when the `registrationId` is `okta`:
    178. 

  178. 

  179. .Override Request Parameters
    180. 

  180. [tabs]
    181. 

  181. ======
    182. 

  182. Java::
    183. 

  183. +
    184. 

  184. [source,java,role="primary",subs="+attributes"]
    185. 

  185. ----
    186. 

  186. {class-name} accessTokenResponseClient =
    187. 

  187. 	new {class-name}();
    188. 

  188. accessTokenResponseClient.setParametersConverter(grantRequest -> {
    189. 

  189. 	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
    190. 

  190. 	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
    191. 

  191. 	if (clientRegistration.getRegistrationId().equals("okta")) {
    192. 

  192. 		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
    193. 

  193. 	}
    194. 

  194. 	return parameters;
    195. 

  195. });
    196. 

  196. ----
    197. 

  197. 

  198. Kotlin::
    199. 

  199. +
    200. 

  200. [source,kotlin,role="secondary",subs="+attributes"]
    201. 

  201. ----
    202. 

  202. val accessTokenResponseClient = {class-name}()
    203. 

  203. accessTokenResponseClient.setParametersConverter { grantRequest ->
    204. 

  204.     val clientRegistration = grantRequest.getClientRegistration()
    205. 

  205. 	val parameters = LinkedMultiValueMap<String, String>()
    206. 

  206. 	if (clientRegistration.getRegistrationId() == "okta") {
    207. 

  207.         parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
    208. 

  208. 	}
    209. 

  209. 	parameters
    210. 

  210. }
    211. 

  211. ----
    212. 

  212. ======
    213. 

  213. 

  214. You can fully customize parameters (including omitting default parameters) using `setParametersCustomizer()`.
    215. 

  215. The following example omits the `client_id` parameter when the `client_assertion` parameter is present in the request:
    216. 

  216. 

  217. .Omit Request Parameters
    218. 

  218. [tabs]
    219. 

  219. ======
    220. 

  220. Java::
    221. 

  221. +
    222. 

  222. [source,java,role="primary",subs="+attributes"]
    223. 

  223. ----
    224. 

  224. {class-name} accessTokenResponseClient =
    225. 

  225. 	new {class-name}();
    226. 

  226. accessTokenResponseClient.setParametersCustomizer(parameters -> {
    227. 

  227. 	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
    228. 

  228. 		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
    229. 

  229. 	}
    230. 

  230. });
    231. 

  231. ----
    232. 

  232. 

  233. Kotlin::
    234. 

  234. +
    235. 

  235. [source,kotlin,role="secondary",subs="+attributes"]
    236. 

  236. ----
    237. 

  237. val accessTokenResponseClient = {class-name}()
    238. 

  238. accessTokenResponseClient.setParametersCustomizer { parameters ->
    239. 

  239. 	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
    240. 

  240. 		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
    241. 

  241. 	}
    242. 

  242. }
    243. 

  243. ----
    244. 

  244. ======
    245. 

  245. 

  246. [#oauth2-client-{section-id}-access-token-response]
    247. 

  247. == Customizing the Access Token Response
    248. 

  248. 

  249. `{class-name}` provides hooks for customizing the OAuth 2.0 Access Token Response.
    250. 

  250. 

  251. [#oauth2-client-{section-id}-access-token-response-parameters]
    252. 

  252. === Customizing Response Parameters
    253. 

  253. 

  254. You can customize the conversion of Token Response parameters to an `OAuth2AccessTokenResponse` by calling `setBodyExtractor()`.
    255. 

  255. The default implementation provided by `OAuth2BodyExtractors.oauth2AccessTokenResponse()` parses the response and handles errors accordingly.
    256. 

  256. 

  257. The following example provides a starting point for customizing the conversion of Token Response parameters to an `OAuth2AccessTokenResponse`:
    258. 

  258. 

  259. .Customize Body Extractor
    260. 

  260. [tabs]
    261. 

  261. ======
    262. 

  262. Java::
    263. 

  263. +
    264. 

  264. [source,java,role="primary",subs="+attributes"]
    265. 

  265. ----
    266. 

  266. {class-name} accessTokenResponseClient =
    267. 

  267. 	new {class-name}();
    268. 

  268. 

  269. BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
    270. 

  270. 	BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
    271. 

  271. accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
    272. 

  272. 	bodyExtractor.extract(inputMessage, context)
    273. 

  273. 		.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
    274. 

  274. 			// ...
    275. 

  275. 			.build()
    276. 

  276. 		)
    277. 

  277. );
    278. 

  278. ----
    279. 

  279. 

  280. Kotlin::
    281. 

  281. +
    282. 

  282. [source,kotlin,role="secondary",subs="+attributes"]
    283. 

  283. ----
    284. 

  284. val accessTokenResponseClient = {class-name}()
    285. 

  285. 

  286. val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
    287. 

  287. accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
    288. 

  288. 	bodyExtractor.extract(inputMessage, context).map { parameters ->
    289. 

  289. 		OAuth2AccessTokenResponse.withToken("custom-token")
    290. 

  290. 			// ...
    291. 

  291. 			.build()
    292. 

  292. 	}
    293. 

  293. }
    294. 

  294. ----
    295. 

  295. ======
    296. 

  296. 

  297. [CAUTION]
    298. 

  298. ====
    299. 

  299. When providing a custom `BodyExtractor`, you are responsible for detecting and converting an OAuth 2.0 Error Response to a `Mono.error()` with `OAuth2Error` based on parameters of the response.
    300. 

  300. ====
    301. 

  301. 

  302. [#oauth2-client-{section-id}-access-token-response-web-client]
    303. 

  303. === Customizing the `WebClient`
    304. 

  304. 

  305. Alternatively, if your requirements are more advanced, you can take full control of the request and/or response by providing a pre-configured `WebClient` to `setWebClient()` as the following example shows:
    306. 

  306. 

  307. .Customize `WebClient`
    308. 

  308. [tabs]
    309. 

  309. ======
    310. 

  310. Java::
    311. 

  311. +
    312. 

  312. [source,java,role="primary",subs="+attributes"]
    313. 

  313. ----
    314. 

  314. WebClient webClient = WebClient.builder()
    315. 

  315. 	// ...
    316. 

  316. 	.build();
    317. 

  317. 

  318. {class-name} accessTokenResponseClient =
    319. 

  319. 	new {class-name}();
    320. 

  320. accessTokenResponseClient.setWebClient(webClient);
    321. 

  321. ----
    322. 

  322. 

  323. Kotlin::
    324. 

  324. +
    325. 

  325. [source,kotlin,role="secondary",subs="+attributes"]
    326. 

  326. ----
    327. 

  327. val webClient = WebClient.builder()
    328. 

  328. 	// ...
    329. 

  329. 	.build()
    330. 

  330. 

  331. val accessTokenResponseClient = {class-name}()
    332. 

  332. accessTokenResponseClient.setWebClient(webClient)
    333. 

  333. ----
    334. 

  334. ======
    335.