2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								= OAuth 2.0 Resource Server Bearer Tokens
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								[[webflux-oauth2resourceserver-bearertoken-resolver]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Bearer Token Resolution
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								By default, Resource Server looks for a bearer token in the `Authorization` header.
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								However, you can verify this token.
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								For example, you may have a need to read the bearer token from a custom header.
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								To do so, you can wire an instance of `ServerBearerTokenAuthenticationConverter` into the DSL:
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								.Custom Bearer Token Header
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								ServerBearerTokenAuthenticationConverter converter = new ServerBearerTokenAuthenticationConverter();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								converter.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								http
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    .oauth2ResourceServer(oauth2 -> oauth2
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .bearerTokenConverter(converter)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    );
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								val converter = ServerBearerTokenAuthenticationConverter()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								converter.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								return http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    oauth2ResourceServer {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        bearerTokenConverter = converter
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Bearer Token Propagation
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Now that you have a bearer token, you can pass that to downstream services.
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								This is possible with javadoc:org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServerBearerExchangeFilterFunction[]:
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								public WebClient rest() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    return WebClient.builder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .filter(new ServerBearerExchangeFilterFunction())
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .build();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								fun rest(): WebClient {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    return WebClient.builder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .filter(ServerBearerExchangeFilterFunction())
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .build()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								When the `WebClient` shown in the preceding example performs requests, Spring Security looks up the current `Authentication` and extract any javadoc:org.springframework.security.oauth2.core.AbstractOAuth2Token[] credential.
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Then, it propagates that token in the `Authorization` header -- for example:
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								this.rest.get()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .uri("https://other-service.example.com/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .retrieve()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .bodyToMono(String.class)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								this.rest.get()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .uri("https://other-service.example.com/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .retrieve()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .bodyToMono<String>()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-11-09 23:28:30 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								The preceding example invokes the `https://other-service.example.com/endpoint`, adding the bearer token `Authorization` header for you.
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								In places where you need to override this behavior, you can supply the header yourself:
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								this.rest.get()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .uri("https://other-service.example.com/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .headers(headers -> headers.setBearerAuth(overridingToken))
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .retrieve()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .bodyToMono(String.class)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								rest.get()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .uri("https://other-service.example.com/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .headers { it.setBearerAuth(overridingToken) }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .retrieve()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        .bodyToMono<String>()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								In this case, the filter falls back and forwards the request onto the rest of the web filter chain.
							 
						 
					
						
							
								
									
										
										
										
											2021-10-29 13:06:38 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2025-02-12 22:36:59 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Unlike the javadoc:org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction[OAuth 2.0 Client filter function], this filter function makes no attempt to renew the token, should it be expired.
							 
						 
					
						
							
								
									
										
										
										
											2021-12-13 16:57:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								====