2021-10-29 13:06:38 -06:00
= OAuth 2.0 Resource Server Bearer Tokens
[[webflux-oauth2resourceserver-bearertoken-resolver]]
== Bearer Token Resolution
By default, Resource Server looks for a bearer token in the `Authorization` header.
2021-12-13 16:57:36 -06:00
However, you can verify this token.
2021-10-29 13:06:38 -06:00
For example, you may have a need to read the bearer token from a custom header.
2021-12-13 16:57:36 -06:00
To do so, you can wire an instance of `ServerBearerTokenAuthenticationConverter` into the DSL:
2021-10-29 13:06:38 -06:00
.Custom Bearer Token Header
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2021-10-29 13:06:38 -06:00
[source,java,role="primary"]
----
ServerBearerTokenAuthenticationConverter converter = new ServerBearerTokenAuthenticationConverter();
converter.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION);
http
.oauth2ResourceServer(oauth2 -> oauth2
.bearerTokenConverter(converter)
);
----
2023-06-18 21:30:41 -05:00
Kotlin::
+
2021-10-29 13:06:38 -06:00
[source,kotlin,role="secondary"]
----
val converter = ServerBearerTokenAuthenticationConverter()
converter.setBearerTokenHeaderName(HttpHeaders.PROXY_AUTHORIZATION)
return http {
oauth2ResourceServer {
bearerTokenConverter = converter
}
}
----
2023-06-18 21:30:41 -05:00
======
2021-10-29 13:06:38 -06:00
== Bearer Token Propagation
2021-12-13 16:57:36 -06:00
Now that you have a bearer token, you can pass that to downstream services.
2024-07-09 13:23:24 -05:00
This is possible with javadoc:org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServerBearerExchangeFilterFunction[]:
2021-10-29 13:06:38 -06:00
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2021-10-29 13:06:38 -06:00
[source,java,role="primary"]
----
@Bean
public WebClient rest() {
return WebClient.builder()
.filter(new ServerBearerExchangeFilterFunction())
.build();
}
----
2023-06-18 21:30:41 -05:00
Kotlin::
+
2021-10-29 13:06:38 -06:00
[source,kotlin,role="secondary"]
----
@Bean
fun rest(): WebClient {
return WebClient.builder()
.filter(ServerBearerExchangeFilterFunction())
.build()
}
----
2023-06-18 21:30:41 -05:00
======
2021-10-29 13:06:38 -06:00
2024-07-09 13:23:24 -05:00
When the `WebClient` shown in the preceding example performs requests, Spring Security looks up the current `Authentication` and extract any javadoc:org.springframework.security.oauth2.core.AbstractOAuth2Token[] credential.
2021-12-13 16:57:36 -06:00
Then, it propagates that token in the `Authorization` header -- for example:
2021-10-29 13:06:38 -06:00
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2021-10-29 13:06:38 -06:00
[source,java,role="primary"]
----
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.retrieve()
.bodyToMono(String.class)
----
2023-06-18 21:30:41 -05:00
Kotlin::
+
2021-10-29 13:06:38 -06:00
[source,kotlin,role="secondary"]
----
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.retrieve()
.bodyToMono<String>()
----
2023-06-18 21:30:41 -05:00
======
2021-10-29 13:06:38 -06:00
2021-12-13 16:57:36 -06:00
The prececing example invokes the `https://other-service.example.com/endpoint`, adding the bearer token `Authorization` header for you.
2021-10-29 13:06:38 -06:00
2021-12-13 16:57:36 -06:00
In places where you need to override this behavior, you can supply the header yourself:
2021-10-29 13:06:38 -06:00
2023-06-18 21:30:41 -05:00
[tabs]
======
Java::
+
2021-10-29 13:06:38 -06:00
[source,java,role="primary"]
----
this.rest.get()
.uri("https://other-service.example.com/endpoint")
.headers(headers -> headers.setBearerAuth(overridingToken))
.retrieve()
.bodyToMono(String.class)
----
2023-06-18 21:30:41 -05:00
Kotlin::
+
2021-10-29 13:06:38 -06:00
[source,kotlin,role="secondary"]
----
rest.get()
.uri("https://other-service.example.com/endpoint")
.headers { it.setBearerAuth(overridingToken) }
.retrieve()
.bodyToMono<String>()
----
2023-06-18 21:30:41 -05:00
======
2021-10-29 13:06:38 -06:00
2021-12-13 16:57:36 -06:00
In this case, the filter falls back and forwards the request onto the rest of the web filter chain.
2021-10-29 13:06:38 -06:00
[NOTE]
2021-12-13 16:57:36 -06:00
====
2021-10-29 13:06:38 -06:00
Unlike the https://docs.spring.io/spring-security/site/docs/current-SNAPSHOT/api/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.html[OAuth 2.0 Client filter function], this filter function makes no attempt to renew the token, should it be expired.
2021-12-13 16:57:36 -06:00
====