Inicio Explorar Axuda
Rexistro Iniciar sesión
github
/
spring-security
réplica de https://github.com/spring-projects/spring-security
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: e869bcdfa3
Ramas Etiquetas
spring-security
/
docs
/
modules
/
ROOT
/
partials
/
servlet
/
oauth2
/
client
/
rest-client-access-token-response-client.adoc

rest-client-access-token-response-client.adoc 12 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358 
  1. `{class-name}` is very flexible and provides several options for customizing the OAuth 2.0 Access Token request and response for the {grant-type} grant.
    2. 

  2. Choose from the following use cases to learn more:
    3. 

  3. 

  4. * I want to <<oauth2-client-{section-id}-access-token-request-headers,customize headers of the Access Token request>>
    5. 

  5. * I want to <<oauth2-client-{section-id}-access-token-request-parameters,customize parameters of the Access Token request>>
    6. 

  6. * I want to <<oauth2-client-{section-id}-access-token-response-rest-client,customize the instance of `RestClient` that is used>>
    7. 

  7. * I want to <<oauth2-client-{section-id}-access-token-response-parameters,customize parameters of the Access Token response>>
    8. 

  8. * I want to <<oauth2-client-{section-id}-access-token-response-errors,customize error handling of the Access Token response>>
    9. 

  9. 

  10. [#oauth2-client-{section-id}-access-token-request]
    11. 

  11. == Customizing the Access Token Request
    12. 

  12. 

  13. `{class-name}` provides hooks for customizing HTTP headers and request parameters of the OAuth 2.0 Access Token Request.
    14. 

  14. 

  15. [#oauth2-client-{section-id}-access-token-request-headers]
    16. 

  16. === Customizing Request Headers
    17. 

  17. 

  18. There are two options for customizing HTTP headers:
    19. 

  19. 

  20. * Add additional headers by calling `addHeadersConverter()`
    21. 

  21. * Fully customize headers by calling `setHeadersConverter()`
    22. 

  22. 

  23. You can include additional headers without affecting the default headers added to every request using `addHeadersConverter()`.
    24. 

  24. The following example adds a `User-Agent` header to the request when the `registrationId` is `spring`:
    25. 

  25. 

  26. .Include Additional HTTP Headers
    27. 

  27. [tabs]
    28. 

  28. ======
    29. 

  29. Java::
    30. 

  30. +
    31. 

  31. [source,java,role="primary",subs="+attributes"]
    32. 

  32. ----
    33. 

  33. {class-name} accessTokenResponseClient =
    34. 

  34. 	new {class-name}();
    35. 

  35. accessTokenResponseClient.addHeadersConverter(grantRequest -> {
    36. 

  36. 	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
    37. 

  37. 	HttpHeaders headers = new HttpHeaders();
    38. 

  38. 	if (clientRegistration.getRegistrationId().equals("spring")) {
    39. 

  39. 		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
    40. 

  40. 	}
    41. 

  41. 	return headers;
    42. 

  42. });
    43. 

  43. ----
    44. 

  44. 

  45. Kotlin::
    46. 

  46. +
    47. 

  47. [source,kotlin,role="secondary",subs="+attributes"]
    48. 

  48. ----
    49. 

  49. val accessTokenResponseClient = {class-name}()
    50. 

  50. accessTokenResponseClient.addHeadersConverter { grantRequest ->
    51. 

  51. 	val clientRegistration = grantRequest.getClientRegistration()
    52. 

  52. 	val headers = HttpHeaders()
    53. 

  53. 	if (clientRegistration.getRegistrationId() == "spring") {
    54. 

  54.         headers[HttpHeaders.USER_AGENT] = "my-user-agent"
    55. 

  55. 	}
    56. 

  56. 	headers
    57. 

  57. }
    58. 

  58. ----
    59. 

  59. ======
    60. 

  60. 

  61. You can fully customize headers by re-using `DefaultOAuth2TokenRequestHeadersConverter` or providing a custom implementation using `setHeadersConverter()`.
    62. 

  62. The following example re-uses `DefaultOAuth2TokenRequestHeadersConverter` and disables `encodeClientCredentials` so that HTTP Basic credentials are no longer encoded with `application/x-www-form-urlencoded`:
    63. 

  63. 

  64. .Customize HTTP Headers
    65. 

  65. [tabs]
    66. 

  66. ======
    67. 

  67. Java::
    68. 

  68. +
    69. 

  69. [source,java,role="primary",subs="+attributes"]
    70. 

  70. ----
    71. 

  71. DefaultOAuth2TokenRequestHeadersConverter headersConverter =
    72. 

  72. 	new DefaultOAuth2TokenRequestHeadersConverter();
    73. 

  73. headersConverter.setEncodeClientCredentials(false);
    74. 

  74. 

  75. {class-name} accessTokenResponseClient =
    76. 

  76. 	new {class-name}();
    77. 

  77. accessTokenResponseClient.setHeadersConverter(headersConverter);
    78. 

  78. ----
    79. 

  79. 

  80. Kotlin::
    81. 

  81. +
    82. 

  82. [source,kotlin,role="secondary",subs="+attributes"]
    83. 

  83. ----
    84. 

  84. val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
    85. 

  85. headersConverter.setEncodeClientCredentials(false)
    86. 

  86. 

  87. val accessTokenResponseClient = {class-name}()
    88. 

  88. accessTokenResponseClient.setHeadersConverter(headersConverter)
    89. 

  89. ----
    90. 

  90. ======
    91. 

  91. 

  92. [#oauth2-client-{section-id}-access-token-request-parameters]
    93. 

  93. === Customizing Request Parameters
    94. 

  94. 

  95. There are three options for customizing request parameters:
    96. 

  96. 

  97. * Add additional parameters by calling `addParametersConverter()`
    98. 

  98. * Override parameters by calling `setParametersConverter()`
    99. 

  99. * Fully customize parameters by calling `setParametersCustomizer()`
    100. 

  100. 

  101. [NOTE]
    102. 

  102. ====
    103. 

  103. Using `setParametersConverter()` does not fully customize parameters because it would require the user to provide all default parameters themselves.
    104. 

  104. Default parameters are always provided, but can be fully customized or omitted by calling `setParametersCustomizer()`.
    105. 

  105. ====
    106. 

  106. 

  107. You can include additional parameters without affecting the default parameters added to every request using `addParametersConverter()`.
    108. 

  108. The following example adds an `audience` parameter to the request when the `registrationId` is `keycloak`:
    109. 

  109. 

  110. .Include Additional Request Parameters
    111. 

  111. [tabs]
    112. 

  112. ======
    113. 

  113. Java::
    114. 

  114. +
    115. 

  115. [source,java,role="primary",subs="+attributes"]
    116. 

  116. ----
    117. 

  117. {class-name} accessTokenResponseClient =
    118. 

  118. 	new {class-name}();
    119. 

  119. accessTokenResponseClient.addParametersConverter(grantRequest -> {
    120. 

  120. 	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
    121. 

  121. 	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
    122. 

  122. 	if (clientRegistration.getRegistrationId().equals("keycloak")) {
    123. 

  123. 		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
    124. 

  124. 	}
    125. 

  125. 	return parameters;
    126. 

  126. });
    127. 

  127. ----
    128. 

  128. 

  129. Kotlin::
    130. 

  130. +
    131. 

  131. [source,kotlin,role="secondary",subs="+attributes"]
    132. 

  132. ----
    133. 

  133. val accessTokenResponseClient = {class-name}()
    134. 

  134. accessTokenResponseClient.addParametersConverter { grantRequest ->
    135. 

  135. 	val clientRegistration = grantRequest.getClientRegistration()
    136. 

  136. 	val parameters = LinkedMultiValueMap<String, String>()
    137. 

  137. 	if (clientRegistration.getRegistrationId() == "keycloak") {
    138. 

  138.         parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
    139. 

  139. 	}
    140. 

  140. 	parameters
    141. 

  141. }
    142. 

  142. ----
    143. 

  143. ======
    144. 

  144. 

  145. You can override default parameters using `setParametersConverter()`.
    146. 

  146. The following example overrides the `client_id` parameter when the `registrationId` is `okta`:
    147. 

  147. 

  148. .Override Request Parameters
    149. 

  149. [tabs]
    150. 

  150. ======
    151. 

  151. Java::
    152. 

  152. +
    153. 

  153. [source,java,role="primary",subs="+attributes"]
    154. 

  154. ----
    155. 

  155. {class-name} accessTokenResponseClient =
    156. 

  156. 	new {class-name}();
    157. 

  157. accessTokenResponseClient.setParametersConverter(grantRequest -> {
    158. 

  158. 	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
    159. 

  159. 	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
    160. 

  160. 	if (clientRegistration.getRegistrationId().equals("okta")) {
    161. 

  161. 		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
    162. 

  162. 	}
    163. 

  163. 	return parameters;
    164. 

  164. });
    165. 

  165. ----
    166. 

  166. 

  167. Kotlin::
    168. 

  168. +
    169. 

  169. [source,kotlin,role="secondary",subs="+attributes"]
    170. 

  170. ----
    171. 

  171. val parametersConverter = DefaultOAuth2TokenRequestParametersConverter<{grant-request}>()
    172. 

  172. parametersConverter.setParametersCustomizer { parameters ->
    173. 

  173. 	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
    174. 

  174. 		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
    175. 

  175. 	}
    176. 

  176. }
    177. 

  177. 

  178. val accessTokenResponseClient = {class-name}()
    179. 

  179. accessTokenResponseClient.setParametersConverter { grantRequest ->
    180. 

  180.     val clientRegistration = grantRequest.getClientRegistration()
    181. 

  181. 	val parameters = LinkedMultiValueMap<String, String>()
    182. 

  182. 	if (clientRegistration.getRegistrationId() == "okta") {
    183. 

  183.         parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
    184. 

  184. 	}
    185. 

  185. 	parameters
    186. 

  186. }
    187. 

  187. ----
    188. 

  188. ======
    189. 

  189. 

  190. You can fully customize parameters (including omitting default parameters) using `setParametersCustomizer()`.
    191. 

  191. The following example omits the `client_id` parameter when the `client_assertion` parameter is present in the request:
    192. 

  192. 

  193. .Omit Request Parameters
    194. 

  194. [tabs]
    195. 

  195. ======
    196. 

  196. Java::
    197. 

  197. +
    198. 

  198. [source,java,role="primary",subs="+attributes"]
    199. 

  199. ----
    200. 

  200. {class-name} accessTokenResponseClient =
    201. 

  201. 	new {class-name}();
    202. 

  202. accessTokenResponseClient.setParametersCustomizer(parameters -> {
    203. 

  203. 	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
    204. 

  204. 		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
    205. 

  205. 	}
    206. 

  206. });
    207. 

  207. ----
    208. 

  208. 

  209. Kotlin::
    210. 

  210. +
    211. 

  211. [source,kotlin,role="secondary",subs="+attributes"]
    212. 

  212. ----
    213. 

  213. val accessTokenResponseClient = {class-name}()
    214. 

  214. accessTokenResponseClient.setParametersCustomizer { parameters ->
    215. 

  215. 	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
    216. 

  216. 		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
    217. 

  217. 	}
    218. 

  218. }
    219. 

  219. ----
    220. 

  220. ======
    221. 

  221. 

  222. [#oauth2-client-{section-id}-access-token-response]
    223. 

  223. == Customizing the Access Token Response
    224. 

  224. 

  225. `{class-name}` provides hooks for customizing response parameters and error handling of the OAuth 2.0 Access Token Response.
    226. 

  226. 

  227. [#oauth2-client-{section-id}-access-token-response-rest-client]
    228. 

  228. === Customizing the `RestClient`
    229. 

  229. 

  230. You can customize the Token Response by providing a pre-configured `RestClient` to `setRestClient()`.
    231. 

  231. The default `RestClient` is configured as follows:
    232. 

  232. 

  233. .Default `RestClient` Configuration
    234. 

  234. [tabs]
    235. 

  235. ======
    236. 

  236. Java::
    237. 

  237. +
    238. 

  238. [source,java,role="primary",subs="+attributes"]
    239. 

  239. ----
    240. 

  240. RestClient restClient = RestClient.builder()
    241. 

  241. 	.messageConverters(messageConverters -> {
    242. 

  242. 		messageConverters.clear();
    243. 

  243. 		messageConverters.add(new FormHttpMessageConverter());
    244. 

  244. 		messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
    245. 

  245. 	})
    246. 

  246. 	.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
    247. 

  247. 	.build();
    248. 

  248. 

  249. {class-name} accessTokenResponseClient =
    250. 

  250. 	new {class-name}();
    251. 

  251. accessTokenResponseClient.setRestClient(restClient);
    252. 

  252. ----
    253. 

  253. 

  254. Kotlin::
    255. 

  255. +
    256. 

  256. [source,kotlin,role="secondary",subs="+attributes"]
    257. 

  257. ----
    258. 

  258. val restClient = RestClient.builder()
    259. 

  259. 	.messageConverters { messageConverters ->
    260. 

  260. 		messageConverters.clear()
    261. 

  261. 		messageConverters.add(FormHttpMessageConverter())
    262. 

  262. 		messageConverters.add(OAuth2AccessTokenResponseHttpMessageConverter())
    263. 

  263. 	}
    264. 

  264. 	.defaultStatusHandler(OAuth2ErrorResponseErrorHandler())
    265. 

  265. 	.build()
    266. 

  266. 

  267. val accessTokenResponseClient = {class-name}()
    268. 

  268. accessTokenResponseClient.setRestClient(restClient)
    269. 

  269. ----
    270. 

  270. ======
    271. 

  271. 

  272. `OAuth2AccessTokenResponseHttpMessageConverter` is an `HttpMessageConverter` for an OAuth 2.0 Access Token Response.
    273. 

  273. You can customize the conversion of Token Response parameters to an `OAuth2AccessTokenResponse` by calling `setAccessTokenResponseConverter()`.
    274. 

  274. The default implementation is `DefaultMapOAuth2AccessTokenResponseConverter`.
    275. 

  275. 

  276. `OAuth2ErrorResponseErrorHandler` is a `ResponseErrorHandler` that can handle an OAuth 2.0 Error, such as `400 Bad Request`.
    277. 

  277. It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error parameters to an `OAuth2Error`.
    278. 

  278. You can customize the conversion of Token Response parameters to an `OAuth2Error` by calling `setErrorConverter()`.
    279. 

  279. 

  280. [TIP]
    281. 

  281. ====
    282. 

  282. Spring MVC `FormHttpMessageConverter` is required, as it is used when sending the OAuth 2.0 Access Token Request.
    283. 

  283. ====
    284. 

  284. 

  285. [#oauth2-client-{section-id}-access-token-response-parameters]
    286. 

  286. === Customizing Response Parameters
    287. 

  287. 

  288. The following example provides a starting point for customizing the conversion of Token Response parameters to an `OAuth2AccessTokenResponse`:
    289. 

  289. 

  290. .Customize Access Token Response Converter
    291. 

  291. [tabs]
    292. 

  292. ======
    293. 

  293. Java::
    294. 

  294. +
    295. 

  295. [source,java,role="primary"]
    296. 

  296. ----
    297. 

  297. OAuth2AccessTokenResponseHttpMessageConverter accessTokenResponseMessageConverter =
    298. 

  298. 	new OAuth2AccessTokenResponseHttpMessageConverter();
    299. 

  299. accessTokenResponseMessageConverter.setAccessTokenResponseConverter(parameters -> {
    300. 

  300. 	// ...
    301. 

  301. 	return OAuth2AccessTokenResponse.withToken("custom-token")
    302. 

  302. 		// ...
    303. 

  303. 		.build();
    304. 

  304. });
    305. 

  305. ----
    306. 

  306. 

  307. Kotlin::
    308. 

  308. +
    309. 

  309. [source,kotlin,role="secondary"]
    310. 

  310. ----
    311. 

  311. val accessTokenResponseMessageConverter = OAuth2AccessTokenResponseHttpMessageConverter()
    312. 

  312. accessTokenResponseMessageConverter.setAccessTokenResponseConverter { parameters ->
    313. 

  313. 	// ...
    314. 

  314. 	return OAuth2AccessTokenResponse.withToken("custom-token")
    315. 

  315. 		// ...
    316. 

  316. 		.build()
    317. 

  317. }
    318. 

  318. ----
    319. 

  319. ======
    320. 

  320. 

  321. [#oauth2-client-{section-id}-access-token-response-errors]
    322. 

  322. === Customizing Error Handling
    323. 

  323. 

  324. The following example provides a starting point for customizing the conversion of Error parameters to an `OAuth2Error`:
    325. 

  325. 

  326. .Customize Access Token Error Handler
    327. 

  327. [tabs]
    328. 

  328. ======
    329. 

  329. Java::
    330. 

  330. +
    331. 

  331. [source,java,role="primary"]
    332. 

  332. ----
    333. 

  333. OAuth2ErrorHttpMessageConverter errorConverter =
    334. 

  334. 	new OAuth2ErrorHttpMessageConverter();
    335. 

  335. errorConverter.setErrorConverter(parameters -> {
    336. 

  336. 	// ...
    337. 

  337. 	return new OAuth2Error("custom-error", "custom description", "custom-uri");
    338. 

  338. });
    339. 

  339. 

  340. OAuth2ErrorResponseErrorHandler errorHandler =
    341. 

  341. 	new OAuth2ErrorResponseErrorHandler();
    342. 

  342. errorHandler.setErrorConverter(errorConverter);
    343. 

  343. ----
    344. 

  344. 

  345. Kotlin::
    346. 

  346. +
    347. 

  347. [source,kotlin,role="secondary"]
    348. 

  348. ----
    349. 

  349. val errorConverter = OAuth2ErrorHttpMessageConverter()
    350. 

  350. errorConverter.setErrorConverter { parameters ->
    351. 

  351. 	// ...
    352. 

  352. 	return OAuth2Error("custom-error", "custom description", "custom-uri")
    353. 

  353. }
    354. 

  354. 

  355. val errorHandler = OAuth2ErrorResponseErrorHandler()
    356. 

  356. errorHandler.setErrorConverter(errorConverter)
    357. 

  357. ----
    358. 

  358. ======
    359.