spring-security/docs/modules/ROOT/pages/servlet/oauth2/client/index.adoc

[[oauth2-client]]
= OAuth 2.0 Client
:page-section-summary-toc: 1

The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].

At a high-level, the core features available are:

.Authorization Grant support
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-authorization-code[Authorization Code]
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-refresh-token[Refresh Token]
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-client-credentials[Client Credentials]
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-password[Resource Owner Password Credentials]
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-jwt-bearer[JWT Bearer]
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-token-exchange[Token Exchange]

.Client Authentication support
* xref:servlet/oauth2/client/client-authentication.adoc#oauth2-client-authentication-jwt-bearer[JWT Bearer]

.HTTP Client support (for requesting protected resources)
* xref:servlet/oauth2/client/authorized-clients.adoc#oauth2-client-rest-client[`RestClient` integration]
* xref:servlet/oauth2/client/authorized-clients.adoc#oauth2-client-web-client[`WebClient` integration for Servlet Environments]

The `HttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.
In addition, `HttpSecurity.oauth2Client().authorizationCodeGrant()` enables the customization of the Authorization Code grant.

The following code shows the complete configuration options provided by the `HttpSecurity.oauth2Client()` DSL:

.OAuth2 Client Configuration Options
[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class OAuth2ClientSecurityConfig {

	@Bean
	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
		http
			.oauth2Client(oauth2 -> oauth2
				.clientRegistrationRepository(this.clientRegistrationRepository())
				.authorizedClientRepository(this.authorizedClientRepository())
				.authorizedClientService(this.authorizedClientService())
				.authorizationCodeGrant(codeGrant -> codeGrant
					.authorizationRequestRepository(this.authorizationRequestRepository())
					.authorizationRequestResolver(this.authorizationRequestResolver())
					.accessTokenResponseClient(this.accessTokenResponseClient())
				)
			);
		return http.build();
	}
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Configuration
@EnableWebSecurity
class OAuth2ClientSecurityConfig {

    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            oauth2Client {
                clientRegistrationRepository = clientRegistrationRepository()
                authorizedClientRepository = authorizedClientRepository()
                authorizedClientService = authorizedClientService()
                authorizationCodeGrant {
                    authorizationRequestRepository = authorizationRequestRepository()
                    authorizationRequestResolver = authorizationRequestResolver()
                    accessTokenResponseClient = accessTokenResponseClient()
                }
            }
        }
        return http.build()
    }
}
----
======

In addition to the `HttpSecurity.oauth2Client()` DSL, XML configuration is also supported.

The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-client[ security namespace]:

.OAuth2 Client XML Configuration Options
[source,xml]
----
<http>
	<oauth2-client client-registration-repository-ref="clientRegistrationRepository"
				   authorized-client-repository-ref="authorizedClientRepository"
				   authorized-client-service-ref="authorizedClientService">
		<authorization-code-grant
				authorization-request-repository-ref="authorizationRequestRepository"
				authorization-request-resolver-ref="authorizationRequestResolver"
				access-token-response-client-ref="accessTokenResponseClient"/>
	</oauth2-client>
</http>
----

The `OAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `OAuth2AuthorizedClientProvider`(s).

The following code shows an example of how to register an `OAuth2AuthorizedClientManager` `@Bean` and associate it with an `OAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials`, and `password` authorization grant types:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
		ClientRegistrationRepository clientRegistrationRepository,
		OAuth2AuthorizedClientRepository authorizedClientRepository) {

	OAuth2AuthorizedClientProvider authorizedClientProvider =
			OAuth2AuthorizedClientProviderBuilder.builder()
					.authorizationCode()
					.refreshToken()
					.clientCredentials()
					.password()
					.build();

	DefaultOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ClientRegistrationRepository,
        authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {
    val authorizedClientProvider: OAuth2AuthorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
            .authorizationCode()
            .refreshToken()
            .clientCredentials()
            .password()
            .build()
    val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}
----
======
Document RestClient-based implementations Closes gh-15938 2024-10-17 10:50:59 -05:00			`[[oauth2-client]]`
Remove obsolete typo in OAuth 2.0 Client page 2024-12-29 18:24:01 +07:00			`= OAuth 2.0 Client`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`:page-section-summary-toc: 1`

			`The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].`

			`At a high-level, the core features available are:`

			`.Authorization Grant support`
Document RestClient-based implementations Closes gh-15938 2024-10-17 10:50:59 -05:00			`* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-authorization-code[Authorization Code]`
			`* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-refresh-token[Refresh Token]`
			`* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-client-credentials[Client Credentials]`
			`* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-password[Resource Owner Password Credentials]`
			`* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-jwt-bearer[JWT Bearer]`
			`* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-token-exchange[Token Exchange]`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
			`.Client Authentication support`
Polish OAuth2 docs 2024-10-28 12:28:24 -05:00			`* xref:servlet/oauth2/client/client-authentication.adoc#oauth2-client-authentication-jwt-bearer[JWT Bearer]`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
Document RestClient-based implementations Closes gh-15938 2024-10-17 10:50:59 -05:00			`.HTTP Client support (for requesting protected resources)`
			* xref:servlet/oauth2/client/authorized-clients.adoc#oauth2-client-rest-client[`RestClient` integration]
			* xref:servlet/oauth2/client/authorized-clients.adoc#oauth2-client-web-client[`WebClient` integration for Servlet Environments]
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
			The `HttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.
			In addition, `HttpSecurity.oauth2Client().authorizationCodeGrant()` enables the customization of the Authorization Code grant.

			The following code shows the complete configuration options provided by the `HttpSecurity.oauth2Client()` DSL:

			`.OAuth2 Client Configuration Options`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`[source,java,role="primary"]`
			`----`
Remove Configuration meta-annotation from Enable* annotations Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration. While convenient, this is not consistent with the rest of the Spring projects and most notably Spring Framework's @Enable annotations. Additionally, the introduction of support for @Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow users to opt into their preferred configuration mode. Closes gh-6613 Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org> 2022-07-30 03:47:02 +02:00			`@Configuration`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`@EnableWebSecurity`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`public class OAuth2ClientSecurityConfig {`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`http`
			`.oauth2Client(oauth2 -> oauth2`
			`.clientRegistrationRepository(this.clientRegistrationRepository())`
			`.authorizedClientRepository(this.authorizedClientRepository())`
			`.authorizedClientService(this.authorizedClientService())`
			`.authorizationCodeGrant(codeGrant -> codeGrant`
			`.authorizationRequestRepository(this.authorizationRequestRepository())`
			`.authorizationRequestResolver(this.authorizationRequestResolver())`
			`.accessTokenResponseClient(this.accessTokenResponseClient())`
			`)`
			`);`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build();`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`}`
			`}`
			`----`

Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`Kotlin::`
			`+`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`[source,kotlin,role="secondary"]`
			`----`
Remove Configuration meta-annotation from Enable* annotations Before, Spring Security's @Enable* annotations were meta-annotated with @Configuration. While convenient, this is not consistent with the rest of the Spring projects and most notably Spring Framework's @Enable annotations. Additionally, the introduction of support for @Configuration(proxyBeanMethods=false) in Spring Framework provides a compelling reason to remove @Configuration meta-annotation from Spring Security's @Enable annotations and allow users to opt into their preferred configuration mode. Closes gh-6613 Signed-off-by: Joshua Sattler <joshua.sattler@mailbox.org> 2022-07-30 03:47:02 +02:00			`@Configuration`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`@EnableWebSecurity`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`class OAuth2ClientSecurityConfig {`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`@Bean`
			`open fun filterChain(http: HttpSecurity): SecurityFilterChain {`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`http {`
			`oauth2Client {`
			`clientRegistrationRepository = clientRegistrationRepository()`
			`authorizedClientRepository = authorizedClientRepository()`
			`authorizedClientService = authorizedClientService()`
			`authorizationCodeGrant {`
			`authorizationRequestRepository = authorizationRequestRepository()`
			`authorizationRequestResolver = authorizationRequestResolver()`
			`accessTokenResponseClient = accessTokenResponseClient()`
			`}`
			`}`
			`}`
Replace WebSecurityConfigurerAdapter with SecurityFilterChain in docs Closes gh-10003 2022-02-08 16:12:10 +01:00			`return http.build()`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`}`
			`}`
			`----`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`======`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
			In addition to the `HttpSecurity.oauth2Client()` DSL, XML configuration is also supported.

			`The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-client[ security namespace]:`

			`.OAuth2 Client XML Configuration Options`
			`[source,xml]`
			`----`
			`<http>`
			`<oauth2-client client-registration-repository-ref="clientRegistrationRepository"`
			`authorized-client-repository-ref="authorizedClientRepository"`
			`authorized-client-service-ref="authorizedClientService">`
			`<authorization-code-grant`
			`authorization-request-repository-ref="authorizationRequestRepository"`
			`authorization-request-resolver-ref="authorizationRequestResolver"`
			`access-token-response-client-ref="accessTokenResponseClient"/>`
			`</oauth2-client>`
			`</http>`
			`----`

			The `OAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `OAuth2AuthorizedClientProvider`(s).

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			The following code shows an example of how to register an `OAuth2AuthorizedClientManager` `@Bean` and associate it with an `OAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials`, and `password` authorization grant types:
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`[source,java,role="primary"]`
			`----`
			`@Bean`
			`public OAuth2AuthorizedClientManager authorizedClientManager(`
			`ClientRegistrationRepository clientRegistrationRepository,`
			`OAuth2AuthorizedClientRepository authorizedClientRepository) {`

			`OAuth2AuthorizedClientProvider authorizedClientProvider =`
			`OAuth2AuthorizedClientProviderBuilder.builder()`
			`.authorizationCode()`
			`.refreshToken()`
			`.clientCredentials()`
			`.password()`
			`.build();`

			`DefaultOAuth2AuthorizedClientManager authorizedClientManager =`
			`new DefaultOAuth2AuthorizedClientManager(`
			`clientRegistrationRepository, authorizedClientRepository);`
			`authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);`

			`return authorizedClientManager;`
			`}`
			`----`

Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`Kotlin::`
			`+`
Separate OAuth 2.0 Client Servlet Docs Issue gh-10367 2021-11-04 11:31:27 -06:00			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun authorizedClientManager(`
			`clientRegistrationRepository: ClientRegistrationRepository,`
			`authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager {`
			`val authorizedClientProvider: OAuth2AuthorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()`
			`.authorizationCode()`
			`.refreshToken()`
			`.clientCredentials()`
			`.password()`
			`.build()`
			`val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(`
			`clientRegistrationRepository, authorizedClientRepository)`
			`authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)`
			`return authorizedClientManager`
			`}`
			`----`
Convert to Asciidoctor Tabs Closes gh-13403 2023-06-18 21:30:41 -05:00			`======`