parent
3db13de1e2
commit
50196537e1
|
@ -121,7 +121,11 @@
|
|||
*** xref:reactive/authorization/method.adoc[EnableReactiveMethodSecurity]
|
||||
** xref:reactive/oauth2/index.adoc[OAuth2]
|
||||
*** xref:reactive/oauth2/login.adoc[OAuth2 Log In]
|
||||
*** xref:reactive/oauth2/oauth2-client.adoc[OAuth2 Client]
|
||||
*** xref:reactive/oauth2/client/index.adoc[OAuth2 Client]
|
||||
**** xref:reactive/oauth2/client/core.adoc[Core Interfaces and Classes]
|
||||
**** xref:reactive/oauth2/client/authorization-grants.adoc[OAuth2 Authorization Grants]
|
||||
**** xref:reactive/oauth2/client/client-authentication.adoc[OAuth2 Client Authentication]
|
||||
**** xref:reactive/oauth2/client/authorized-clients.adoc[OAuth2 Authorized Clients]
|
||||
*** xref:reactive/oauth2/resource-server/index.adoc[OAuth2 Resource Server]
|
||||
**** xref:reactive/oauth2/resource-server/jwt.adoc[JWT]
|
||||
**** xref:reactive/oauth2/resource-server/opaque-token.adoc[Opaque Token]
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,250 @@
|
|||
[[oauth2Client-additional-features]]
|
||||
= Authorized Clients
|
||||
|
||||
|
||||
[[oauth2Client-registered-authorized-client]]
|
||||
== Resolving an Authorized Client
|
||||
|
||||
The `@RegisteredOAuth2AuthorizedClient` annotation provides the capability of resolving a method parameter to an argument value of type `OAuth2AuthorizedClient`.
|
||||
This is a convenient alternative compared to accessing the `OAuth2AuthorizedClient` using the `ReactiveOAuth2AuthorizedClientManager` or `ReactiveOAuth2AuthorizedClientService`.
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Controller
|
||||
public class OAuth2ClientController {
|
||||
|
||||
@GetMapping("/")
|
||||
public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
|
||||
return Mono.just(authorizedClient.getAccessToken())
|
||||
...
|
||||
.thenReturn("index");
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Controller
|
||||
class OAuth2ClientController {
|
||||
@GetMapping("/")
|
||||
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
|
||||
return Mono.just(authorizedClient.accessToken)
|
||||
...
|
||||
.thenReturn("index")
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
The `@RegisteredOAuth2AuthorizedClient` annotation is handled by `OAuth2AuthorizedClientArgumentResolver`, which directly uses a <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits it's capabilities.
|
||||
|
||||
|
||||
[[oauth2Client-webclient-webflux]]
|
||||
== WebClient integration for Reactive Environments
|
||||
|
||||
The OAuth 2.0 Client support integrates with `WebClient` using an `ExchangeFilterFunction`.
|
||||
|
||||
The `ServerOAuth2AuthorizedClientExchangeFilterFunction` provides a simple mechanism for requesting protected resources by using an `OAuth2AuthorizedClient` and including the associated `OAuth2AccessToken` as a Bearer Token.
|
||||
It directly uses an <<oauth2Client-authorized-manager-provider, ReactiveOAuth2AuthorizedClientManager>> and therefore inherits the following capabilities:
|
||||
|
||||
* An `OAuth2AccessToken` will be requested if the client has not yet been authorized.
|
||||
** `authorization_code` - triggers the Authorization Request redirect to initiate the flow
|
||||
** `client_credentials` - the access token is obtained directly from the Token Endpoint
|
||||
** `password` - the access token is obtained directly from the Token Endpoint
|
||||
* If the `OAuth2AccessToken` is expired, it will be refreshed (or renewed) if a `ReactiveOAuth2AuthorizedClientProvider` is available to perform the authorization
|
||||
|
||||
The following code shows an example of how to configure `WebClient` with OAuth 2.0 Client support:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
|
||||
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
|
||||
new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
|
||||
return WebClient.builder()
|
||||
.filter(oauth2Client)
|
||||
.build();
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
|
||||
val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
|
||||
return WebClient.builder()
|
||||
.filter(oauth2Client)
|
||||
.build()
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
=== Providing the Authorized Client
|
||||
|
||||
The `ServerOAuth2AuthorizedClientExchangeFilterFunction` determines the client to use (for a request) by resolving the `OAuth2AuthorizedClient` from the `ClientRequest.attributes()` (request attributes).
|
||||
|
||||
The following code shows how to set an `OAuth2AuthorizedClient` as a request attribute:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@GetMapping("/")
|
||||
public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
|
||||
String resourceUri = ...
|
||||
|
||||
return webClient
|
||||
.get()
|
||||
.uri(resourceUri)
|
||||
.attributes(oauth2AuthorizedClient(authorizedClient)) <1>
|
||||
.retrieve()
|
||||
.bodyToMono(String.class)
|
||||
...
|
||||
.thenReturn("index");
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@GetMapping("/")
|
||||
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
|
||||
val resourceUri: String = ...
|
||||
|
||||
return webClient
|
||||
.get()
|
||||
.uri(resourceUri)
|
||||
.attributes(oauth2AuthorizedClient(authorizedClient)) <1>
|
||||
.retrieve()
|
||||
.bodyToMono<String>()
|
||||
...
|
||||
.thenReturn("index")
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
<1> `oauth2AuthorizedClient()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
|
||||
|
||||
The following code shows how to set the `ClientRegistration.getRegistrationId()` as a request attribute:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@GetMapping("/")
|
||||
public Mono<String> index() {
|
||||
String resourceUri = ...
|
||||
|
||||
return webClient
|
||||
.get()
|
||||
.uri(resourceUri)
|
||||
.attributes(clientRegistrationId("okta")) <1>
|
||||
.retrieve()
|
||||
.bodyToMono(String.class)
|
||||
...
|
||||
.thenReturn("index");
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@GetMapping("/")
|
||||
fun index(): Mono<String> {
|
||||
val resourceUri: String = ...
|
||||
|
||||
return webClient
|
||||
.get()
|
||||
.uri(resourceUri)
|
||||
.attributes(clientRegistrationId("okta")) <1>
|
||||
.retrieve()
|
||||
.bodyToMono<String>()
|
||||
...
|
||||
.thenReturn("index")
|
||||
}
|
||||
----
|
||||
====
|
||||
<1> `clientRegistrationId()` is a `static` method in `ServerOAuth2AuthorizedClientExchangeFilterFunction`.
|
||||
|
||||
|
||||
=== Defaulting the Authorized Client
|
||||
|
||||
If neither `OAuth2AuthorizedClient` or `ClientRegistration.getRegistrationId()` is provided as a request attribute, the `ServerOAuth2AuthorizedClientExchangeFilterFunction` can determine the _default_ client to use depending on it's configuration.
|
||||
|
||||
If `setDefaultOAuth2AuthorizedClient(true)` is configured and the user has authenticated using `ServerHttpSecurity.oauth2Login()`, the `OAuth2AccessToken` associated with the current `OAuth2AuthenticationToken` is used.
|
||||
|
||||
The following code shows the specific configuration:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
|
||||
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
|
||||
new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
|
||||
oauth2Client.setDefaultOAuth2AuthorizedClient(true);
|
||||
return WebClient.builder()
|
||||
.filter(oauth2Client)
|
||||
.build();
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
|
||||
val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
|
||||
oauth2Client.setDefaultOAuth2AuthorizedClient(true)
|
||||
return WebClient.builder()
|
||||
.filter(oauth2Client)
|
||||
.build()
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
[WARNING]
|
||||
It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
|
||||
|
||||
Alternatively, if `setDefaultClientRegistrationId("okta")` is configured with a valid `ClientRegistration`, the `OAuth2AccessToken` associated with the `OAuth2AuthorizedClient` is used.
|
||||
|
||||
The following code shows the specific configuration:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
|
||||
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
|
||||
new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
|
||||
oauth2Client.setDefaultClientRegistrationId("okta");
|
||||
return WebClient.builder()
|
||||
.filter(oauth2Client)
|
||||
.build();
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
|
||||
val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
|
||||
oauth2Client.setDefaultClientRegistrationId("okta")
|
||||
return WebClient.builder()
|
||||
.filter(oauth2Client)
|
||||
.build()
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
[WARNING]
|
||||
It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
|
|
@ -0,0 +1,151 @@
|
|||
[[oauth2Client-client-auth-support]]
|
||||
= Client Authentication Support
|
||||
|
||||
|
||||
[[oauth2Client-jwt-bearer-auth]]
|
||||
== JWT Bearer
|
||||
|
||||
[NOTE]
|
||||
Please refer to JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants for further details on https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer] Client Authentication.
|
||||
|
||||
The default implementation for JWT Bearer Client Authentication is `NimbusJwtClientAuthenticationParametersConverter`,
|
||||
which is a `Converter` that customizes the Token Request parameters by adding
|
||||
a signed JSON Web Token (JWS) in the `client_assertion` parameter.
|
||||
|
||||
The `java.security.PrivateKey` or `javax.crypto.SecretKey` used for signing the JWS
|
||||
is supplied by the `com.nimbusds.jose.jwk.JWK` resolver associated with `NimbusJwtClientAuthenticationParametersConverter`.
|
||||
|
||||
|
||||
=== Authenticate using `private_key_jwt`
|
||||
|
||||
Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
spring:
|
||||
security:
|
||||
oauth2:
|
||||
client:
|
||||
registration:
|
||||
okta:
|
||||
client-id: okta-client-id
|
||||
client-authentication-method: private_key_jwt
|
||||
authorization-grant-type: authorization_code
|
||||
...
|
||||
----
|
||||
|
||||
The following example shows how to configure `WebClientReactiveAuthorizationCodeTokenResponseClient`:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
|
||||
if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
|
||||
// Assuming RSA key type
|
||||
RSAPublicKey publicKey = ...
|
||||
RSAPrivateKey privateKey = ...
|
||||
return new RSAKey.Builder(publicKey)
|
||||
.privateKey(privateKey)
|
||||
.keyID(UUID.randomUUID().toString())
|
||||
.build();
|
||||
}
|
||||
return null;
|
||||
};
|
||||
|
||||
WebClientReactiveAuthorizationCodeTokenResponseClient tokenResponseClient =
|
||||
new WebClientReactiveAuthorizationCodeTokenResponseClient();
|
||||
tokenResponseClient.addParametersConverter(
|
||||
new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val jwkResolver: Function<ClientRegistration, JWK> =
|
||||
Function<ClientRegistration, JWK> { clientRegistration ->
|
||||
if (clientRegistration.clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
|
||||
// Assuming RSA key type
|
||||
var publicKey: RSAPublicKey = ...
|
||||
var privateKey: RSAPrivateKey = ...
|
||||
RSAKey.Builder(publicKey)
|
||||
.privateKey(privateKey)
|
||||
.keyID(UUID.randomUUID().toString())
|
||||
.build()
|
||||
}
|
||||
null
|
||||
}
|
||||
|
||||
val tokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
|
||||
tokenResponseClient.addParametersConverter(
|
||||
NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
|
||||
)
|
||||
----
|
||||
====
|
||||
|
||||
|
||||
=== Authenticate using `client_secret_jwt`
|
||||
|
||||
Given the following Spring Boot 2.x properties for an OAuth 2.0 Client registration:
|
||||
|
||||
[source,yaml]
|
||||
----
|
||||
spring:
|
||||
security:
|
||||
oauth2:
|
||||
client:
|
||||
registration:
|
||||
okta:
|
||||
client-id: okta-client-id
|
||||
client-secret: okta-client-secret
|
||||
client-authentication-method: client_secret_jwt
|
||||
authorization-grant-type: client_credentials
|
||||
...
|
||||
----
|
||||
|
||||
The following example shows how to configure `WebClientReactiveClientCredentialsTokenResponseClient`:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
Function<ClientRegistration, JWK> jwkResolver = (clientRegistration) -> {
|
||||
if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
|
||||
SecretKeySpec secretKey = new SecretKeySpec(
|
||||
clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8),
|
||||
"HmacSHA256");
|
||||
return new OctetSequenceKey.Builder(secretKey)
|
||||
.keyID(UUID.randomUUID().toString())
|
||||
.build();
|
||||
}
|
||||
return null;
|
||||
};
|
||||
|
||||
WebClientReactiveClientCredentialsTokenResponseClient tokenResponseClient =
|
||||
new WebClientReactiveClientCredentialsTokenResponseClient();
|
||||
tokenResponseClient.addParametersConverter(
|
||||
new NimbusJwtClientAuthenticationParametersConverter<>(jwkResolver));
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val jwkResolver = Function<ClientRegistration, JWK?> { clientRegistration: ClientRegistration ->
|
||||
if (clientRegistration.clientAuthenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_JWT) {
|
||||
val secretKey = SecretKeySpec(
|
||||
clientRegistration.clientSecret.toByteArray(StandardCharsets.UTF_8),
|
||||
"HmacSHA256"
|
||||
)
|
||||
OctetSequenceKey.Builder(secretKey)
|
||||
.keyID(UUID.randomUUID().toString())
|
||||
.build()
|
||||
}
|
||||
null
|
||||
}
|
||||
|
||||
val tokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
|
||||
tokenResponseClient.addParametersConverter(
|
||||
NimbusJwtClientAuthenticationParametersConverter(jwkResolver)
|
||||
)
|
||||
----
|
||||
====
|
|
@ -0,0 +1,429 @@
|
|||
[[oauth2Client-core-interface-class]]
|
||||
= Core Interfaces / Classes
|
||||
|
||||
|
||||
[[oauth2Client-client-registration]]
|
||||
== ClientRegistration
|
||||
|
||||
`ClientRegistration` is a representation of a client registered with an OAuth 2.0 or OpenID Connect 1.0 Provider.
|
||||
|
||||
A client registration holds information, such as client id, client secret, authorization grant type, redirect URI, scope(s), authorization URI, token URI, and other details.
|
||||
|
||||
`ClientRegistration` and its properties are defined as follows:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
public final class ClientRegistration {
|
||||
private String registrationId; <1>
|
||||
private String clientId; <2>
|
||||
private String clientSecret; <3>
|
||||
private ClientAuthenticationMethod clientAuthenticationMethod; <4>
|
||||
private AuthorizationGrantType authorizationGrantType; <5>
|
||||
private String redirectUri; <6>
|
||||
private Set<String> scopes; <7>
|
||||
private ProviderDetails providerDetails;
|
||||
private String clientName; <8>
|
||||
|
||||
public class ProviderDetails {
|
||||
private String authorizationUri; <9>
|
||||
private String tokenUri; <10>
|
||||
private UserInfoEndpoint userInfoEndpoint;
|
||||
private String jwkSetUri; <11>
|
||||
private String issuerUri; <12>
|
||||
private Map<String, Object> configurationMetadata; <13>
|
||||
|
||||
public class UserInfoEndpoint {
|
||||
private String uri; <14>
|
||||
private AuthenticationMethod authenticationMethod; <15>
|
||||
private String userNameAttributeName; <16>
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
----
|
||||
<1> `registrationId`: The ID that uniquely identifies the `ClientRegistration`.
|
||||
<2> `clientId`: The client identifier.
|
||||
<3> `clientSecret`: The client secret.
|
||||
<4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider.
|
||||
The supported values are *client_secret_basic*, *client_secret_post*, *private_key_jwt*, *client_secret_jwt* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)].
|
||||
<5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types.
|
||||
The supported values are `authorization_code`, `client_credentials`, `password`, as well as, extension grant type `urn:ietf:params:oauth:grant-type:jwt-bearer`.
|
||||
<6> `redirectUri`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent
|
||||
to after the end-user has authenticated and authorized access to the client.
|
||||
<7> `scopes`: The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.
|
||||
<8> `clientName`: A descriptive name used for the client.
|
||||
The name may be used in certain scenarios, such as when displaying the name of the client in the auto-generated login page.
|
||||
<9> `authorizationUri`: The Authorization Endpoint URI for the Authorization Server.
|
||||
<10> `tokenUri`: The Token Endpoint URI for the Authorization Server.
|
||||
<11> `jwkSetUri`: The URI used to retrieve the https://tools.ietf.org/html/rfc7517[JSON Web Key (JWK)] Set from the Authorization Server,
|
||||
which contains the cryptographic key(s) used to verify the https://tools.ietf.org/html/rfc7515[JSON Web Signature (JWS)] of the ID Token and optionally the UserInfo Response.
|
||||
<12> `issuerUri`: Returns the issuer identifier uri for the OpenID Connect 1.0 provider or the OAuth 2.0 Authorization Server.
|
||||
<13> `configurationMetadata`: The https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[OpenID Provider Configuration Information].
|
||||
This information will only be available if the Spring Boot 2.x property `spring.security.oauth2.client.provider.[providerId].issuerUri` is configured.
|
||||
<14> `(userInfoEndpoint)uri`: The UserInfo Endpoint URI used to access the claims/attributes of the authenticated end-user.
|
||||
<15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
|
||||
The supported values are *header*, *form* and *query*.
|
||||
<16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
|
||||
|
||||
A `ClientRegistration` can be initially configured using discovery of an OpenID Connect Provider's https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Configuration endpoint] or an Authorization Server's https://tools.ietf.org/html/rfc8414#section-3[Metadata endpoint].
|
||||
|
||||
`ClientRegistrations` provides convenience methods for configuring a `ClientRegistration` in this way, as can be seen in the following example:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
ClientRegistration clientRegistration =
|
||||
ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()
|
||||
----
|
||||
====
|
||||
|
||||
The above code will query in series `https://idp.example.com/issuer/.well-known/openid-configuration`, and then `https://idp.example.com/.well-known/openid-configuration/issuer`, and finally `https://idp.example.com/.well-known/oauth-authorization-server/issuer`, stopping at the first to return a 200 response.
|
||||
|
||||
As an alternative, you can use `ClientRegistrations.fromOidcIssuerLocation()` to only query the OpenID Connect Provider's Configuration endpoint.
|
||||
|
||||
[[oauth2Client-client-registration-repo]]
|
||||
== ReactiveClientRegistrationRepository
|
||||
|
||||
The `ReactiveClientRegistrationRepository` serves as a repository for OAuth 2.0 / OpenID Connect 1.0 `ClientRegistration`(s).
|
||||
|
||||
[NOTE]
|
||||
Client registration information is ultimately stored and owned by the associated Authorization Server.
|
||||
This repository provides the ability to retrieve a sub-set of the primary client registration information, which is stored with the Authorization Server.
|
||||
|
||||
Spring Boot 2.x auto-configuration binds each of the properties under `spring.security.oauth2.client.registration._[registrationId]_` to an instance of `ClientRegistration` and then composes each of the `ClientRegistration` instance(s) within a `ReactiveClientRegistrationRepository`.
|
||||
|
||||
[NOTE]
|
||||
The default implementation of `ReactiveClientRegistrationRepository` is `InMemoryReactiveClientRegistrationRepository`.
|
||||
|
||||
The auto-configuration also registers the `ReactiveClientRegistrationRepository` as a `@Bean` in the `ApplicationContext` so that it is available for dependency-injection, if needed by the application.
|
||||
|
||||
The following listing shows an example:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Controller
|
||||
public class OAuth2ClientController {
|
||||
|
||||
@Autowired
|
||||
private ReactiveClientRegistrationRepository clientRegistrationRepository;
|
||||
|
||||
@GetMapping("/")
|
||||
public Mono<String> index() {
|
||||
return this.clientRegistrationRepository.findByRegistrationId("okta")
|
||||
...
|
||||
.thenReturn("index");
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Controller
|
||||
class OAuth2ClientController {
|
||||
|
||||
@Autowired
|
||||
private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository
|
||||
|
||||
@GetMapping("/")
|
||||
fun index(): Mono<String> {
|
||||
return this.clientRegistrationRepository.findByRegistrationId("okta")
|
||||
...
|
||||
.thenReturn("index")
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
[[oauth2Client-authorized-client]]
|
||||
== OAuth2AuthorizedClient
|
||||
|
||||
`OAuth2AuthorizedClient` is a representation of an Authorized Client.
|
||||
A client is considered to be authorized when the end-user (Resource Owner) has granted authorization to the client to access its protected resources.
|
||||
|
||||
`OAuth2AuthorizedClient` serves the purpose of associating an `OAuth2AccessToken` (and optional `OAuth2RefreshToken`) to a `ClientRegistration` (client) and resource owner, who is the `Principal` end-user that granted the authorization.
|
||||
|
||||
|
||||
[[oauth2Client-authorized-repo-service]]
|
||||
== ServerOAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService
|
||||
|
||||
`ServerOAuth2AuthorizedClientRepository` is responsible for persisting `OAuth2AuthorizedClient`(s) between web requests.
|
||||
Whereas, the primary role of `ReactiveOAuth2AuthorizedClientService` is to manage `OAuth2AuthorizedClient`(s) at the application-level.
|
||||
|
||||
From a developer perspective, the `ServerOAuth2AuthorizedClientRepository` or `ReactiveOAuth2AuthorizedClientService` provides the capability to lookup an `OAuth2AccessToken` associated with a client so that it may be used to initiate a protected resource request.
|
||||
|
||||
The following listing shows an example:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Controller
|
||||
public class OAuth2ClientController {
|
||||
|
||||
@Autowired
|
||||
private ReactiveOAuth2AuthorizedClientService authorizedClientService;
|
||||
|
||||
@GetMapping("/")
|
||||
public Mono<String> index(Authentication authentication) {
|
||||
return this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName())
|
||||
.map(OAuth2AuthorizedClient::getAccessToken)
|
||||
...
|
||||
.thenReturn("index");
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Controller
|
||||
class OAuth2ClientController {
|
||||
|
||||
@Autowired
|
||||
private lateinit var authorizedClientService: ReactiveOAuth2AuthorizedClientService
|
||||
|
||||
@GetMapping("/")
|
||||
fun index(authentication: Authentication): Mono<String> {
|
||||
return this.authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>("okta", authentication.name)
|
||||
.map { it.accessToken }
|
||||
...
|
||||
.thenReturn("index")
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
[NOTE]
|
||||
Spring Boot 2.x auto-configuration registers an `ServerOAuth2AuthorizedClientRepository` and/or `ReactiveOAuth2AuthorizedClientService` `@Bean` in the `ApplicationContext`.
|
||||
However, the application may choose to override and register a custom `ServerOAuth2AuthorizedClientRepository` or `ReactiveOAuth2AuthorizedClientService` `@Bean`.
|
||||
|
||||
The default implementation of `ReactiveOAuth2AuthorizedClientService` is `InMemoryReactiveOAuth2AuthorizedClientService`, which stores `OAuth2AuthorizedClient`(s) in-memory.
|
||||
|
||||
Alternatively, the R2DBC implementation `R2dbcReactiveOAuth2AuthorizedClientService` may be configured for persisting `OAuth2AuthorizedClient`(s) in a database.
|
||||
|
||||
[NOTE]
|
||||
`R2dbcReactiveOAuth2AuthorizedClientService` depends on the table definition described in xref:servlet/appendix/database-schema.adoc#dbschema-oauth2-client[ OAuth 2.0 Client Schema].
|
||||
|
||||
|
||||
[[oauth2Client-authorized-manager-provider]]
|
||||
== ReactiveOAuth2AuthorizedClientManager / ReactiveOAuth2AuthorizedClientProvider
|
||||
|
||||
The `ReactiveOAuth2AuthorizedClientManager` is responsible for the overall management of `OAuth2AuthorizedClient`(s).
|
||||
|
||||
The primary responsibilities include:
|
||||
|
||||
* Authorizing (or re-authorizing) an OAuth 2.0 Client, using a `ReactiveOAuth2AuthorizedClientProvider`.
|
||||
* Delegating the persistence of an `OAuth2AuthorizedClient`, typically using a `ReactiveOAuth2AuthorizedClientService` or `ServerOAuth2AuthorizedClientRepository`.
|
||||
* Delegating to a `ReactiveOAuth2AuthorizationSuccessHandler` when an OAuth 2.0 Client has been successfully authorized (or re-authorized).
|
||||
* Delegating to a `ReactiveOAuth2AuthorizationFailureHandler` when an OAuth 2.0 Client fails to authorize (or re-authorize).
|
||||
|
||||
A `ReactiveOAuth2AuthorizedClientProvider` implements a strategy for authorizing (or re-authorizing) an OAuth 2.0 Client.
|
||||
Implementations will typically implement an authorization grant type, eg. `authorization_code`, `client_credentials`, etc.
|
||||
|
||||
The default implementation of `ReactiveOAuth2AuthorizedClientManager` is `DefaultReactiveOAuth2AuthorizedClientManager`, which is associated with a `ReactiveOAuth2AuthorizedClientProvider` that may support multiple authorization grant types using a delegation-based composite.
|
||||
The `ReactiveOAuth2AuthorizedClientProviderBuilder` may be used to configure and build the delegation-based composite.
|
||||
|
||||
The following code shows an example of how to configure and build a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
||||
ReactiveClientRegistrationRepository clientRegistrationRepository,
|
||||
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
|
||||
|
||||
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
||||
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.authorizationCode()
|
||||
.refreshToken()
|
||||
.clientCredentials()
|
||||
.password()
|
||||
.build();
|
||||
|
||||
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
||||
new DefaultReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientRepository);
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
||||
|
||||
return authorizedClientManager;
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun authorizedClientManager(
|
||||
clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
||||
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
|
||||
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.authorizationCode()
|
||||
.refreshToken()
|
||||
.clientCredentials()
|
||||
.password()
|
||||
.build()
|
||||
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientRepository)
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
||||
return authorizedClientManager
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
When an authorization attempt succeeds, the `DefaultReactiveOAuth2AuthorizedClientManager` will delegate to the `ReactiveOAuth2AuthorizationSuccessHandler`, which (by default) will save the `OAuth2AuthorizedClient` via the `ServerOAuth2AuthorizedClientRepository`.
|
||||
In the case of a re-authorization failure, eg. a refresh token is no longer valid, the previously saved `OAuth2AuthorizedClient` will be removed from the `ServerOAuth2AuthorizedClientRepository` via the `RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler`.
|
||||
The default behaviour may be customized via `setAuthorizationSuccessHandler(ReactiveOAuth2AuthorizationSuccessHandler)` and `setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)`.
|
||||
|
||||
The `DefaultReactiveOAuth2AuthorizedClientManager` is also associated with a `contextAttributesMapper` of type `Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>>`, which is responsible for mapping attribute(s) from the `OAuth2AuthorizeRequest` to a `Map` of attributes to be associated to the `OAuth2AuthorizationContext`.
|
||||
This can be useful when you need to supply a `ReactiveOAuth2AuthorizedClientProvider` with required (supported) attribute(s), eg. the `PasswordReactiveOAuth2AuthorizedClientProvider` requires the resource owner's `username` and `password` to be available in `OAuth2AuthorizationContext.getAttributes()`.
|
||||
|
||||
The following code shows an example of the `contextAttributesMapper`:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
||||
ReactiveClientRegistrationRepository clientRegistrationRepository,
|
||||
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
|
||||
|
||||
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
||||
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.password()
|
||||
.refreshToken()
|
||||
.build();
|
||||
|
||||
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
||||
new DefaultReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientRepository);
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
||||
|
||||
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
|
||||
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
|
||||
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
|
||||
|
||||
return authorizedClientManager;
|
||||
}
|
||||
|
||||
private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
|
||||
return authorizeRequest -> {
|
||||
Map<String, Object> contextAttributes = Collections.emptyMap();
|
||||
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
|
||||
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
|
||||
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
|
||||
contextAttributes = new HashMap<>();
|
||||
|
||||
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
|
||||
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
|
||||
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
|
||||
}
|
||||
return Mono.just(contextAttributes);
|
||||
};
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun authorizedClientManager(
|
||||
clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
||||
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
|
||||
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.password()
|
||||
.refreshToken()
|
||||
.build()
|
||||
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientRepository)
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
||||
|
||||
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
|
||||
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
|
||||
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
|
||||
return authorizedClientManager
|
||||
}
|
||||
|
||||
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
|
||||
return Function { authorizeRequest ->
|
||||
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
|
||||
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
|
||||
val request: ServerHttpRequest = exchange.request
|
||||
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
|
||||
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
|
||||
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
|
||||
contextAttributes = hashMapOf()
|
||||
|
||||
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
|
||||
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
|
||||
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
|
||||
}
|
||||
Mono.just(contextAttributes)
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
The `DefaultReactiveOAuth2AuthorizedClientManager` is designed to be used *_within_* the context of a `ServerWebExchange`.
|
||||
When operating *_outside_* of a `ServerWebExchange` context, use `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` instead.
|
||||
|
||||
A _service application_ is a common use case for when to use an `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager`.
|
||||
Service applications often run in the background, without any user interaction, and typically run under a system-level account instead of a user account.
|
||||
An OAuth 2.0 Client configured with the `client_credentials` grant type can be considered a type of service application.
|
||||
|
||||
The following code shows an example of how to configure an `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` that provides support for the `client_credentials` grant type:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
||||
ReactiveClientRegistrationRepository clientRegistrationRepository,
|
||||
ReactiveOAuth2AuthorizedClientService authorizedClientService) {
|
||||
|
||||
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
||||
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.clientCredentials()
|
||||
.build();
|
||||
|
||||
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
||||
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientService);
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
||||
|
||||
return authorizedClientManager;
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun authorizedClientManager(
|
||||
clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
||||
authorizedClientService: ReactiveOAuth2AuthorizedClientService): ReactiveOAuth2AuthorizedClientManager {
|
||||
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.clientCredentials()
|
||||
.build()
|
||||
val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientService)
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
||||
return authorizedClientManager
|
||||
}
|
||||
----
|
||||
====
|
|
@ -0,0 +1,123 @@
|
|||
[[webflux-oauth2-client]]
|
||||
= OAuth 2.0 Client
|
||||
:page-section-summary-toc: 1
|
||||
|
||||
The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework].
|
||||
|
||||
At a high-level, the core features available are:
|
||||
|
||||
.Authorization Grant support
|
||||
* https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code]
|
||||
* https://tools.ietf.org/html/rfc6749#section-6[Refresh Token]
|
||||
* https://tools.ietf.org/html/rfc6749#section-1.3.4[Client Credentials]
|
||||
* https://tools.ietf.org/html/rfc6749#section-1.3.3[Resource Owner Password Credentials]
|
||||
* https://datatracker.ietf.org/doc/html/rfc7523#section-2.1[JWT Bearer]
|
||||
|
||||
.Client Authentication support
|
||||
* https://datatracker.ietf.org/doc/html/rfc7523#section-2.2[JWT Bearer]
|
||||
|
||||
.HTTP Client support
|
||||
* <<oauth2Client-webclient-webflux, `WebClient` integration for Reactive Environments>> (for requesting protected resources)
|
||||
|
||||
The `ServerHttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client.
|
||||
|
||||
The following code shows the complete configuration options provided by the `ServerHttpSecurity.oauth2Client()` DSL:
|
||||
|
||||
.OAuth2 Client Configuration Options
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@EnableWebFluxSecurity
|
||||
public class OAuth2ClientSecurityConfig {
|
||||
|
||||
@Bean
|
||||
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
|
||||
http
|
||||
.oauth2Client(oauth2 -> oauth2
|
||||
.clientRegistrationRepository(this.clientRegistrationRepository())
|
||||
.authorizedClientRepository(this.authorizedClientRepository())
|
||||
.authorizationRequestRepository(this.authorizationRequestRepository())
|
||||
.authenticationConverter(this.authenticationConverter())
|
||||
.authenticationManager(this.authenticationManager())
|
||||
);
|
||||
|
||||
return http.build();
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@EnableWebFluxSecurity
|
||||
class OAuth2ClientSecurityConfig {
|
||||
|
||||
@Bean
|
||||
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
|
||||
http {
|
||||
oauth2Client {
|
||||
clientRegistrationRepository = clientRegistrationRepository()
|
||||
authorizedClientRepository = authorizedClientRepository()
|
||||
authorizationRequestRepository = authorizedRequestRepository()
|
||||
authenticationConverter = authenticationConverter()
|
||||
authenticationManager = authenticationManager()
|
||||
}
|
||||
}
|
||||
|
||||
return http.build()
|
||||
}
|
||||
}
|
||||
----
|
||||
====
|
||||
|
||||
The `ReactiveOAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `ReactiveOAuth2AuthorizedClientProvider`(s).
|
||||
|
||||
The following code shows an example of how to register a `ReactiveOAuth2AuthorizedClientManager` `@Bean` and associate it with a `ReactiveOAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
|
||||
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
----
|
||||
@Bean
|
||||
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
|
||||
ReactiveClientRegistrationRepository clientRegistrationRepository,
|
||||
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
|
||||
|
||||
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
|
||||
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.authorizationCode()
|
||||
.refreshToken()
|
||||
.clientCredentials()
|
||||
.password()
|
||||
.build();
|
||||
|
||||
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
|
||||
new DefaultReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientRepository);
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
|
||||
|
||||
return authorizedClientManager;
|
||||
}
|
||||
----
|
||||
|
||||
.Kotlin
|
||||
[source,kotlin,role="secondary"]
|
||||
----
|
||||
@Bean
|
||||
fun authorizedClientManager(
|
||||
clientRegistrationRepository: ReactiveClientRegistrationRepository,
|
||||
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
|
||||
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.authorizationCode()
|
||||
.refreshToken()
|
||||
.clientCredentials()
|
||||
.password()
|
||||
.build()
|
||||
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
|
||||
clientRegistrationRepository, authorizedClientRepository)
|
||||
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
|
||||
return authorizedClientManager
|
||||
}
|
||||
----
|
||||
====
|
Loading…
Reference in New Issue