spring-security/docs/modules/ROOT/pages/reactive/oauth2/resource-server/opaque-token.adoc

= OAuth 2.0 Resource Server Opaque Token

[[webflux-oauth2resourceserver-opaque-minimaldependencies]]
== Minimal Dependencies for Introspection
As described in xref:servlet/oauth2/resource-server/jwt.adoc#oauth2resourceserver-jwt-minimaldependencies[Minimal Dependencies for JWT], most Resource Server support is collected in `spring-security-oauth2-resource-server`.
However, unless you provide a custom <<webflux-oauth2resourceserver-opaque-introspector-bean,`ReactiveOpaqueTokenIntrospector`>>, the Resource Server falls back to `SpringReactiveOpaqueTokenIntrospector`.
This means that only `spring-security-oauth2-resource-server` is necessary to have a working minimal Resource Server that supports opaque Bearer Tokens.

[[webflux-oauth2resourceserver-opaque-minimalconfiguration]]
== Minimal Configuration for Introspection

Typically, you can verify an opaque token with an https://tools.ietf.org/html/rfc7662[OAuth 2.0 Introspection Endpoint], hosted by the authorization server.
This can be handy when revocation is a requirement.

When using https://spring.io/projects/spring-boot[Spring Boot], configuring an application as a resource server that uses introspection consists of two steps:

. Include the needed dependencies.
. Indicate the introspection endpoint details.

[[webflux-oauth2resourceserver-opaque-introspectionuri]]
=== Specifying the Authorization Server

You can specify where the introspection endpoint is:

[source,yaml]
----
spring:
  security:
    oauth2:
      resourceserver:
        opaquetoken:
          introspection-uri: https://idp.example.com/introspect
          client-id: client
          client-secret: secret
----

Where `https://idp.example.com/introspect` is the introspection endpoint hosted by your authorization server and `client-id` and `client-secret` are the credentials needed to hit that endpoint.

Resource Server uses these properties to further self-configure and subsequently validate incoming JWTs.

[NOTE]
====
If the authorization server responses that the token is valid, then it is.
====

=== Startup Expectations

When this property and these dependencies are used, Resource Server automatically configures itself to validate Opaque Bearer Tokens.

This startup process is quite a bit simpler than for JWTs, since no endpoints need to be discovered and no additional validation rules get added.

=== Runtime Expectations

Once the application has started, Resource Server tries to process any request containing an `Authorization: Bearer` header:

[source,http]
----
GET / HTTP/1.1
Authorization: Bearer some-token-value # Resource Server will process this
----

So long as this scheme is indicated, Resource Server tries to process the request according to the Bearer Token specification.

Given an Opaque Token, Resource Server:

. Queries the provided introspection endpoint by using the provided credentials and the token.
. Inspects the response for an `{ 'active' : true }` attribute.
. Maps each scope to an authority with a prefix of `SCOPE_`.

By default, the resulting `Authentication#getPrincipal` is a Spring Security javadoc:org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal[] object, and `Authentication#getName` maps to the token's `sub` property, if one is present.

From here, you may want to jump to:

* <<webflux-oauth2resourceserver-opaque-attributes>>
* <<webflux-oauth2resourceserver-opaque-authorization-extraction>>
* <<webflux-oauth2resourceserver-opaque-jwt-introspector>>

[[webflux-oauth2resourceserver-opaque-attributes]]
== Looking Up Attributes After Authentication

Once a token is authenticated, an instance of `BearerTokenAuthentication` is set in the `SecurityContext`.

This means that it is available in `@Controller` methods when you use `@EnableWebFlux` in your configuration:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@GetMapping("/foo")
public Mono<String> foo(BearerTokenAuthentication authentication) {
    return Mono.just(authentication.getTokenAttributes().get("sub") + " is the subject");
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@GetMapping("/foo")
fun foo(authentication: BearerTokenAuthentication): Mono<String> {
    return Mono.just(authentication.tokenAttributes["sub"].toString() + " is the subject")
}
----
======

Since `BearerTokenAuthentication` holds an `OAuth2AuthenticatedPrincipal`, that also means that it's available to controller methods, too:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@GetMapping("/foo")
public Mono<String> foo(@AuthenticationPrincipal OAuth2AuthenticatedPrincipal principal) {
    return Mono.just(principal.getAttribute("sub") + " is the subject");
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@GetMapping("/foo")
fun foo(@AuthenticationPrincipal principal: OAuth2AuthenticatedPrincipal): Mono<String> {
    return Mono.just(principal.getAttribute<Any>("sub").toString() + " is the subject")
}
----
======

=== Looking Up Attributes with SpEL

You can access attributes with the Spring Expression Language (SpEL).

For example, if you use `@EnableReactiveMethodSecurity` so that you can use `@PreAuthorize` annotations, you can do:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@PreAuthorize("principal?.attributes['sub'] = 'foo'")
public Mono<String> forFoosEyesOnly() {
    return Mono.just("foo");
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@PreAuthorize("principal.attributes['sub'] = 'foo'")
fun forFoosEyesOnly(): Mono<String> {
    return Mono.just("foo")
}
----
======

[[webflux-oauth2resourceserver-opaque-sansboot]]
== Overriding or Replacing Boot Auto Configuration

Spring Boot generates two `@Bean` instances for Resource Server.

The first is a `SecurityWebFilterChain` that configures the application as a resource server.
When you use an Opaque Token, this `SecurityWebFilterChain` looks like:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
		.authorizeExchange((authorize) -> authorize
			.anyExchange().authenticated()
		)
		.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)
	return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        oauth2ResourceServer {
            opaqueToken { }
        }
    }
}
----
======

If the application does not expose a `SecurityWebFilterChain` bean, Spring Boot exposes the default bean (shown in the preceding listing).

You can replace it by exposing the bean within the application:

.Replacing SecurityWebFilterChain
[tabs]
======
Java::
+
[source,java,role="primary"]
----
import static org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope;

@Configuration
@EnableWebFluxSecurity
public class MyCustomSecurityConfiguration {
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange((authorize) -> authorize
                .pathMatchers("/messages/**").access(hasScope("message:read"))
                .anyExchange().authenticated()
            )
            .oauth2ResourceServer((oauth2) -> oauth2
                .opaqueToken((opaqueToken) -> opaqueToken
                    .introspector(myIntrospector())
                )
            );
        return http.build();
    }
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope

@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        authorizeExchange {
            authorize("/messages/**", hasScope("message:read"))
            authorize(anyExchange, authenticated)
        }
        oauth2ResourceServer {
            opaqueToken {
                introspector = myIntrospector()
            }
        }
    }
}
----
======

The preceding example requires the scope of `message:read` for any URL that starts with `/messages/`.

Methods on the `oauth2ResourceServer` DSL also override or replace auto configuration.

For example, the second `@Bean` Spring Boot creates is a `ReactiveOpaqueTokenIntrospector`, which decodes `String` tokens into validated instances of `OAuth2AuthenticatedPrincipal`:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
    return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
        .clientId(clientId).clientSecret(clientSecret).build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
    return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
        .clientId(clientId).clientSecret(clientSecret).build()
}
----
======

If the application does not expose a `ReactiveOpaqueTokenIntrospector` bean, Spring Boot exposes the default one (shown in the preceding listing).

You can override its configuration by using `introspectionUri()` and `introspectionClientCredentials()` or replace it by using `introspector()`.

[[webflux-oauth2resourceserver-opaque-introspectionuri-dsl]]
=== Using `introspectionUri()`

You can configure an authorization server's Introspection URI <<webflux-oauth2resourceserver-opaque-introspectionuri,as a configuration property>>, or you can supply in the DSL:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebFluxSecurity
public class DirectlyConfiguredIntrospectionUri {
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange((authorize) -> authorize
                .anyExchange().authenticated()
            )
            .oauth2ResourceServer((oauth2) -> oauth2
                .opaqueToken((opaqueToken) -> opaqueToken
                    .introspectionUri("https://idp.example.com/introspect")
                    .introspectionClientCredentials("client", "secret")
                )
            );
        return http.build();
    }
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        oauth2ResourceServer {
            opaqueToken {
                introspectionUri = "https://idp.example.com/introspect"
                introspectionClientCredentials("client", "secret")
            }
        }
    }
}
----
======

Using `introspectionUri()` takes precedence over any configuration property.

[[webflux-oauth2resourceserver-opaque-introspector-dsl]]
=== Using `introspector()`

`introspector()` is more powerful than `introspectionUri()`. It completely replaces any Boot auto-configuration of `ReactiveOpaqueTokenIntrospector`:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebFluxSecurity
public class DirectlyConfiguredIntrospector {
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange((authorize) -> authorize
                .anyExchange().authenticated()
            )
            .oauth2ResourceServer((oauth2) -> oauth2
                .opaqueToken((opaqueToken) -> opaqueToken
                    .introspector(myCustomIntrospector())
                )
            );
        return http.build();
    }
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
        oauth2ResourceServer {
            opaqueToken {
                introspector = myCustomIntrospector()
            }
        }
    }
}
----
======

This is handy when deeper configuration, such as <<webflux-oauth2resourceserver-opaque-authorization-extraction,authority mapping>> or <<webflux-oauth2resourceserver-opaque-jwt-introspector,JWT revocation>>, is necessary.

[[webflux-oauth2resourceserver-opaque-introspector-bean]]
=== Exposing a `ReactiveOpaqueTokenIntrospector` `@Bean`

Or, exposing a `ReactiveOpaqueTokenIntrospector` `@Bean` has the same effect as `introspector()`:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
    return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
        .clientId(clientId).clientSecret(clientSecret).build()
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
    return SpringReactiveOpaqueTokenIntrospector.withIntrospectionUri(introspectionUri)
        .clientId(clientId).clientSecret(clientSecret).build()
}
----
======

[[webflux-oauth2resourceserver-opaque-authorization]]
== Configuring Authorization

An OAuth 2.0 Introspection endpoint typically returns a `scope` attribute, indicating the scopes (or authorities) it has been granted -- for example:

[source,json]
----
{ ..., "scope" : "messages contacts"}
----

When this is the case, Resource Server tries to coerce these scopes into a list of granted authorities, prefixing each scope with a string: `SCOPE_`.

This means that, to protect an endpoint or method with a scope derived from an Opaque Token, the corresponding expressions should include this prefix:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
import static org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope;

@Configuration
@EnableWebFluxSecurity
public class MappedAuthorities {
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
            .authorizeExchange((authorize) -> authorize
                .pathMatchers("/contacts/**").access(hasScope("contacts"))
                .pathMatchers("/messages/**").access(hasScope("messages"))
                .anyExchange().authenticated()
            )
            .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken);
        return http.build();
    }
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.security.oauth2.core.authorization.OAuth2ReactiveAuthorizationManagers.hasScope

@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        authorizeExchange {
            authorize("/contacts/**", hasScope("contacts"))
            authorize("/messages/**", hasScope("messages"))
            authorize(anyExchange, authenticated)
        }
        oauth2ResourceServer {
            opaqueToken { }
        }
    }
}
----
======

You can do something similar with method security:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@PreAuthorize("hasAuthority('SCOPE_messages')")
public Flux<Message> getMessages(...) {}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@PreAuthorize("hasAuthority('SCOPE_messages')")
fun getMessages(): Flux<Message> { }
----
======

[[webflux-oauth2resourceserver-opaque-authorization-extraction]]
=== Extracting Authorities Manually

By default, Opaque Token support extracts the scope claim from an introspection response and parses it into individual `GrantedAuthority` instances.

Consider the following example:

[source,json]
----
{
    "active" : true,
    "scope" : "message:read message:write"
}
----

If the introspection response were as the preceding example shows, Resource Server would generate an `Authentication` with two authorities, one for `message:read` and the other for `message:write`.

You can customize behavior by using a custom `ReactiveOpaqueTokenIntrospector` that looks at the attribute set and converts in its own way:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
public class CustomAuthoritiesOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
    private ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build();

    public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
        return this.delegate.introspect(token)
                .map((principal) -> principal DefaultOAuth2AuthenticatedPrincipal(
                        principal.getName(), principal.getAttributes(), extractAuthorities(principal)));
    }

    private Collection<GrantedAuthority> extractAuthorities(OAuth2AuthenticatedPrincipal principal) {
        List<String> scopes = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE);
        return scopes.stream()
                .map(SimpleGrantedAuthority::new)
                .collect(Collectors.toList());
    }
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
class CustomAuthoritiesOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
    private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build()
    override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
        return delegate.introspect(token)
                .map { principal: OAuth2AuthenticatedPrincipal ->
                    DefaultOAuth2AuthenticatedPrincipal(
                            principal.name, principal.attributes, extractAuthorities(principal))
                }
    }

    private fun extractAuthorities(principal: OAuth2AuthenticatedPrincipal): Collection<GrantedAuthority> {
        val scopes = principal.getAttribute<List<String>>(OAuth2IntrospectionClaimNames.SCOPE)
        return scopes
                .map { SimpleGrantedAuthority(it) }
    }
}
----
======

Thereafter, you can configure this custom introspector by exposing it as a `@Bean`:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
    return new CustomAuthoritiesOpaqueTokenIntrospector();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
    return CustomAuthoritiesOpaqueTokenIntrospector()
}
----
======

[[webflux-oauth2resourceserver-opaque-jwt-introspector]]
== Using Introspection with JWTs

A common question is whether or not introspection is compatible with JWTs.
Spring Security's Opaque Token support has been designed to not care about the format of the token. It gladly passes any token to the provided introspection endpoint.

So, suppose you need to check with the authorization server on each request, in case the JWT has been revoked.

Even though you are using the JWT format for the token, your validation method is introspection, meaning you would want to do:

[source,yaml]
----
spring:
  security:
    oauth2:
      resourceserver:
        opaquetoken:
          introspection-uri: https://idp.example.org/introspection
          client-id: client
          client-secret: secret
----

In this case, the resulting `Authentication` would be `BearerTokenAuthentication`.
Any attributes in the corresponding `OAuth2AuthenticatedPrincipal` would be whatever was returned by the introspection endpoint.

However, suppose that, for whatever reason, the introspection endpoint returns only whether or not the token is active.
Now what?

In this case, you can create a custom `ReactiveOpaqueTokenIntrospector` that still hits the endpoint but then updates the returned principal to have the JWTs claims as the attributes:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
public class JwtOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
	private ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build();
	private ReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(new ParseOnlyJWTProcessor());

	public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
		return this.delegate.introspect(token)
				.flatMap((principal) -> principal.jwtDecoder.decode(token))
				.map((jwt) -> jwt DefaultOAuth2AuthenticatedPrincipal(jwt.getClaims(), NO_AUTHORITIES));
	}

	private static class ParseOnlyJWTProcessor implements Converter<JWT, Mono<JWTClaimsSet>> {
		public Mono<JWTClaimsSet> convert(JWT jwt) {
			try {
				return Mono.just(jwt.getJWTClaimsSet());
			} catch (Exception ex) {
				return Mono.error(ex);
			}
		}
	}
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
class JwtOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
    private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build()
    private val jwtDecoder: ReactiveJwtDecoder = NimbusReactiveJwtDecoder(ParseOnlyJWTProcessor())
    override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
        return delegate.introspect(token)
                .flatMap { jwtDecoder.decode(token) }
                .map { jwt: Jwt -> DefaultOAuth2AuthenticatedPrincipal(jwt.claims, NO_AUTHORITIES) }
    }

    private class ParseOnlyJWTProcessor : Converter<JWT, Mono<JWTClaimsSet>> {
        override fun convert(jwt: JWT): Mono<JWTClaimsSet> {
            return try {
                Mono.just(jwt.jwtClaimsSet)
            } catch (e: Exception) {
                Mono.error(e)
            }
        }
    }
}
----
======

Thereafter, you can configure this custom introspector by exposing it as a `@Bean`:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
public ReactiveOpaqueTokenIntrospector introspector() {
    return new JwtOpaqueTokenIntropsector();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
    return JwtOpaqueTokenIntrospector()
}
----
======

[[webflux-oauth2resourceserver-opaque-userinfo]]
== Calling a `/userinfo` Endpoint

Generally speaking, a Resource Server does not care about the underlying user but, instead, cares about the authorities that have been granted.

That said, at times it can be valuable to tie the authorization statement back to a user.

If an application also uses `spring-security-oauth2-client`, having set up the appropriate `ClientRegistrationRepository`,  you can do so with a custom `OpaqueTokenIntrospector`.
The implementation in the next listing does three things:

* Delegates to the introspection endpoint, to affirm the token's validity.
* Looks up the appropriate client registration associated with the `/userinfo` endpoint.
* Invokes and returns the response from the `/userinfo` endpoint.

[tabs]
======
Java::
+
[source,java,role="primary"]
----
public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
	private final ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build();
	private final ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService =
			new DefaultReactiveOAuth2UserService();

	private final ReactiveClientRegistrationRepository repository;

	// ... constructor

	@Override
	public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
		return Mono.zip(this.delegate.introspect(token), this.repository.findByRegistrationId("registration-id"))
				.map(t -> {
					OAuth2AuthenticatedPrincipal authorized = t.getT1();
					ClientRegistration clientRegistration = t.getT2();
					Instant issuedAt = authorized.getAttribute(ISSUED_AT);
					Instant expiresAt = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT);
					OAuth2AccessToken accessToken = new OAuth2AccessToken(BEARER, token, issuedAt, expiresAt);
					return new OAuth2UserRequest(clientRegistration, accessToken);
				})
				.flatMap(this.oauth2UserService::loadUser);
	}
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
    private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build()
    private val oauth2UserService: ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> = DefaultReactiveOAuth2UserService()
    private val repository: ReactiveClientRegistrationRepository? = null

    // ... constructor
    override fun introspect(token: String?): Mono<OAuth2AuthenticatedPrincipal> {
        return Mono.zip<OAuth2AuthenticatedPrincipal, ClientRegistration>(delegate.introspect(token), repository!!.findByRegistrationId("registration-id"))
                .map<OAuth2UserRequest> { t: Tuple2<OAuth2AuthenticatedPrincipal, ClientRegistration> ->
                    val authorized = t.t1
                    val clientRegistration = t.t2
                    val issuedAt: Instant? = authorized.getAttribute(ISSUED_AT)
                    val expiresAt: Instant? = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT)
                    val accessToken = OAuth2AccessToken(BEARER, token, issuedAt, expiresAt)
                    OAuth2UserRequest(clientRegistration, accessToken)
                }
                .flatMap { userRequest: OAuth2UserRequest -> oauth2UserService.loadUser(userRequest) }
    }
}
----
======

If you aren't using `spring-security-oauth2-client`, it's still quite simple.
You will simply need to invoke the `/userinfo` with your own instance of `WebClient`:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
    private final ReactiveOpaqueTokenIntrospector delegate = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build();
    private final WebClient rest = WebClient.create();

    @Override
    public Mono<OAuth2AuthenticatedPrincipal> introspect(String token) {
        return this.delegate.introspect(token)
		        .map(this::makeUserInfoRequest);
    }
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {
    private val delegate: ReactiveOpaqueTokenIntrospector = SpringReactiveOpaqueTokenIntrospector
            .withIntrospectionUri("https://idp.example.org/introspect")
            .clientId("client").clientSecret("secret").build()
    private val rest: WebClient = WebClient.create()

    override fun introspect(token: String): Mono<OAuth2AuthenticatedPrincipal> {
        return delegate.introspect(token)
                .map(this::makeUserInfoRequest)
    }
}
----
======

Either way, having created your `ReactiveOpaqueTokenIntrospector`, you should publish it as a `@Bean` to override the defaults:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
ReactiveOpaqueTokenIntrospector introspector() {
    return new UserInfoOpaqueTokenIntrospector();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun introspector(): ReactiveOpaqueTokenIntrospector {
    return UserInfoOpaqueTokenIntrospector()
}
----
======