spring-security/docs/modules/ROOT/pages/reactive/oauth2/client/index.adoc

[[webflux-oauth2-client]]
= OAuth 2.0 Client
:page-section-summary-toc: 1

The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].

At a high-level, the core features available are:

.Authorization Grant support
* https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code]
* https://tools.ietf.org/html/rfc6749#section-6[Refresh Token]
* https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials]
* https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials]
* https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[JWT Bearer]

.Client Authentication support
* https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer]

.HTTP Client support
* <<oauth2Client-webclient-webflux, `WebClient` integration for Reactive Environments>> (for requesting protected resources)

The `ServerHttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.

The following code shows the complete configuration options provided by the `ServerHttpSecurity.oauth2Client()` DSL:

.OAuth2 Client Configuration Options
====
.Java
[source,java,role="primary"]
----
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.oauth2Client(oauth2 -> oauth2
				.clientRegistrationRepository(this.clientRegistrationRepository())
				.authorizedClientRepository(this.authorizedClientRepository())
				.authorizationRequestRepository(this.authorizationRequestRepository())
				.authenticationConverter(this.authenticationConverter())
				.authenticationManager(this.authenticationManager())
			);

		return http.build();
	}
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            oauth2Client {
                clientRegistrationRepository = clientRegistrationRepository()
                authorizedClientRepository = authorizedClientRepository()
                authorizationRequestRepository = authorizedRequestRepository()
                authenticationConverter = authenticationConverter()
                authenticationManager = authenticationManager()
            }
        }

        return http.build()
    }
}
----
====

The `ReactiveOAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `ReactiveOAuth2AuthorizedClientProvider`(s).

The following code shows an example of how to register a `ReactiveOAuth2AuthorizedClientManager` `@Bean` and associate it with a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:

====
.Java
[source,java,role="primary"]
----
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.authorizationCode()
					.refreshToken()
					.clientCredentials()
					.password()
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .authorizationCode()
            .refreshToken()
            .clientCredentials()
            .password()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}
----
====
Separate OAuth 2.0 Client Reactive Docs Issue gh-10367 2021-11-04 12:45:39 -06:00			`[[webflux-oauth2-client]]`
			`= OAuth 2.0 Client`
			`:page-section-summary-toc: 1`

			`The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].`

			`At a high-level, the core features available are:`

			`.Authorization Grant support`
			`* https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code]`
			`* https://tools.ietf.org/html/rfc6749#section-6[Refresh Token]`
			`* https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials]`
			`* https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials]`
			`* https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[JWT Bearer]`

			`.Client Authentication support`
			`* https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer]`

			`.HTTP Client support`
			* <<oauth2Client-webclient-webflux, `WebClient` integration for Reactive Environments>> (for requesting protected resources)

			The `ServerHttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.

			The following code shows the complete configuration options provided by the `ServerHttpSecurity.oauth2Client()` DSL:

			`.OAuth2 Client Configuration Options`
			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`@EnableWebFluxSecurity`
			`public class OAuth2ClientSecurityConfig {`

			`@Bean`
			`public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {`
			`http`
			`.oauth2Client(oauth2 -> oauth2`
			`.clientRegistrationRepository(this.clientRegistrationRepository())`
			`.authorizedClientRepository(this.authorizedClientRepository())`
			`.authorizationRequestRepository(this.authorizationRequestRepository())`
			`.authenticationConverter(this.authenticationConverter())`
			`.authenticationManager(this.authenticationManager())`
			`);`

			`return http.build();`
			`}`
			`}`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@EnableWebFluxSecurity`
			`class OAuth2ClientSecurityConfig {`

			`@Bean`
			`fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {`
Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			`http {`
Separate OAuth 2.0 Client Reactive Docs Issue gh-10367 2021-11-04 12:45:39 -06:00			`oauth2Client {`
			`clientRegistrationRepository = clientRegistrationRepository()`
			`authorizedClientRepository = authorizedClientRepository()`
			`authorizationRequestRepository = authorizedRequestRepository()`
			`authenticationConverter = authenticationConverter()`
			`authenticationManager = authenticationManager()`
			`}`
			`}`
Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00
			`return http.build()`
Separate OAuth 2.0 Client Reactive Docs Issue gh-10367 2021-11-04 12:45:39 -06:00			`}`
			`}`
			`----`
			`====`

			The `ReactiveOAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `ReactiveOAuth2AuthorizedClientProvider`(s).

			The following code shows an example of how to register a `ReactiveOAuth2AuthorizedClientManager` `@Bean` and associate it with a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:

			`====`
			`.Java`
			`[source,java,role="primary"]`
			`----`
			`@Bean`
			`public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(`
			`ReactiveClientRegistrationRepository clientRegistrationRepository,`
			`ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {`

			`ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =`
			`ReactiveOAuth2AuthorizedClientProviderBuilder.builder()`
			`.authorizationCode()`
			`.refreshToken()`
			`.clientCredentials()`
			`.password()`
			`.build();`

			`DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =`
			`new DefaultReactiveOAuth2AuthorizedClientManager(`
			`clientRegistrationRepository, authorizedClientRepository);`
			`authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);`

			`return authorizedClientManager;`
			`}`
			`----`

			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun authorizedClientManager(`
			`clientRegistrationRepository: ReactiveClientRegistrationRepository,`
			`authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {`
			`val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()`
			`.authorizationCode()`
			`.refreshToken()`
			`.clientCredentials()`
			`.password()`
			`.build()`
			`val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(`
			`clientRegistrationRepository, authorizedClientRepository)`
			`authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)`
			`return authorizedClientManager`
			`}`
			`----`
			`====`