Add WebFlux Resource Server Reference

Fixes: gh-5866
This commit is contained in:
Rob Winch 2018-09-18 10:58:56 -05:00
parent 83af2df131
commit 87243ea453
2 changed files with 49 additions and 0 deletions

View File

@ -5,3 +5,5 @@ Spring Security provides OAuth2 and WebFlux integration for reactive application
include::login.adoc[leveloffset=+1]
include::access-token.adoc[leveloffset=+1]
include::resource-server.adoc[leveloffset=+1]

View File

@ -0,0 +1,47 @@
[[webflux-oauth2-resource-server]]
= OAuth2 Resource Server
Spring Security provides OAuth2 Resource Server support with JWT tokens.
[[NOTE]]
====
A complete working example can be found in {gh-samples-url}/boot/oauth2resourceserver-webflux[*OAuth 2.0 Resource Server WebFlux sample*].
====
The first step is to expose a `ReactiveJwtDecoder` as a `@Bean`.
In a Spring Boot application this can be done using:
[source,yml]
----
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://idp.example.com/auth/realms/demo
----
The `issuer-uri` instructs Spring Security to leverage the endpoint at `https://idp.example.com/auth/realms/demo/.well-known/openid-configuration` to discover the configuration.
The above is all that is necessary to get a minimal Resource Server configured.
When new keys are made available, Spring Security will automatically rotate the keys used to validate the JWT tokens.
By default each scope is mapped to an authority with the prefix `SCOPE_`.
For example, the following requires the scope of `message:read` for any URL that starts with `/messages/`.
[source,java]
----
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
----