Steve Riesenberg
parent
22f84cf3f3
commit
be340a0085
|
|
@ -491,7 +491,7 @@ With the above configuration, the application now supports two additional endpoi
|
||||||
====
|
====
|
||||||
The presence of the `openid` scope in the above configuration indicates that OpenID Connect 1.0 should be used.
|
The presence of the `openid` scope in the above configuration indicates that OpenID Connect 1.0 should be used.
|
||||||
This instructs Spring Security to use OIDC-specific components (such as `OidcUserService`) during request processing.
|
This instructs Spring Security to use OIDC-specific components (such as `OidcUserService`) during request processing.
|
||||||
Without this scope, Spring Security will use OAuth2-specific components (such as `OAuth2UserService`) instead.
|
Without this scope, Spring Security will use OAuth2-specific components (such as `DefaultOAuth2UserService`) instead.
|
||||||
====
|
====
|
||||||
|
|
||||||
[[oauth2-client-access-protected-resources]]
|
[[oauth2-client-access-protected-resources]]
|
||||||
|
|
@ -708,7 +708,7 @@ class MessagesController(private val webClient: WebClient) {
|
||||||
.uri("http://localhost:8090/messages")
|
.uri("http://localhost:8090/messages")
|
||||||
.attributes(clientRegistrationId("my-oauth2-client"))
|
.attributes(clientRegistrationId("my-oauth2-client"))
|
||||||
.retrieve()
|
.retrieve()
|
||||||
.toEntityList(Message::class.java)
|
.toEntityList<Message>()
|
||||||
.block()!!
|
.block()!!
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -933,7 +933,7 @@ class MessagesController(private val webClient: WebClient) {
|
||||||
return webClient.get()
|
return webClient.get()
|
||||||
.uri("http://localhost:8090/messages")
|
.uri("http://localhost:8090/messages")
|
||||||
.retrieve()
|
.retrieve()
|
||||||
.toEntityList(Message::class.java)
|
.toEntityList<Message>()
|
||||||
.block()!!
|
.block()!!
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -953,7 +953,7 @@ This is because it can be derived from the currently logged in user.
|
||||||
=== Enable an Extension Grant Type
|
=== Enable an Extension Grant Type
|
||||||
|
|
||||||
A common use case involves enabling and/or configuring an extension grant type.
|
A common use case involves enabling and/or configuring an extension grant type.
|
||||||
For example, Spring Security provides support for the `jwt-bearer` grant type, but does not enable it by default because it is not part of the core OAuth 2.0 specification.
|
For example, Spring Security provides support for the `jwt-bearer` and `token-exchange` grant types, but does not enable them by default because they are not part of the core OAuth 2.0 specification.
|
||||||
|
|
||||||
With Spring Security 6.2 and later, we can simply publish a bean for one or more `OAuth2AuthorizedClientProvider` and they will be picked up automatically.
|
With Spring Security 6.2 and later, we can simply publish a bean for one or more `OAuth2AuthorizedClientProvider` and they will be picked up automatically.
|
||||||
The following example simply enables the `jwt-bearer` grant type:
|
The following example simply enables the `jwt-bearer` grant type:
|
||||||
|
|
@ -1356,12 +1356,18 @@ Spring Security automatically resolves the following generic types of `OAuth2Acc
|
||||||
* `OAuth2ClientCredentialsGrantRequest` (see `DefaultClientCredentialsTokenResponseClient`)
|
* `OAuth2ClientCredentialsGrantRequest` (see `DefaultClientCredentialsTokenResponseClient`)
|
||||||
* `OAuth2PasswordGrantRequest` (see `DefaultPasswordTokenResponseClient`)
|
* `OAuth2PasswordGrantRequest` (see `DefaultPasswordTokenResponseClient`)
|
||||||
* `JwtBearerGrantRequest` (see `DefaultJwtBearerTokenResponseClient`)
|
* `JwtBearerGrantRequest` (see `DefaultJwtBearerTokenResponseClient`)
|
||||||
|
* `TokenExchangeGrantRequest` (see `DefaultTokenExchangeTokenResponseClient`)
|
||||||
|
|
||||||
[TIP]
|
[TIP]
|
||||||
====
|
====
|
||||||
Publishing a bean of type `OAuth2AccessTokenResponseClient<JwtBearerGrantRequest>` will automatically enable the `jwt-bearer` grant type without the need to <<oauth2-client-enable-extension-grant-type,configure it separately>>.
|
Publishing a bean of type `OAuth2AccessTokenResponseClient<JwtBearerGrantRequest>` will automatically enable the `jwt-bearer` grant type without the need to <<oauth2-client-enable-extension-grant-type,configure it separately>>.
|
||||||
====
|
====
|
||||||
|
|
||||||
|
[TIP]
|
||||||
|
====
|
||||||
|
Publishing a bean of type `OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest>` will automatically enable the `token-exchange` grant type without the need to <<oauth2-client-enable-extension-grant-type,configure it separately>>.
|
||||||
|
====
|
||||||
|
|
||||||
[[oauth2-client-customize-rest-operations]]
|
[[oauth2-client-customize-rest-operations]]
|
||||||
=== Customize the `RestOperations` used by OAuth2 Client Components
|
=== Customize the `RestOperations` used by OAuth2 Client Components
|
||||||
|
|
||||||
|
|
@ -1427,6 +1433,15 @@ public class SecurityConfig {
|
||||||
return accessTokenResponseClient;
|
return accessTokenResponseClient;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeAccessTokenResponseClient() {
|
||||||
|
DefaultTokenExchangeTokenResponseClient accessTokenResponseClient =
|
||||||
|
new DefaultTokenExchangeTokenResponseClient();
|
||||||
|
accessTokenResponseClient.setRestOperations(restTemplate());
|
||||||
|
|
||||||
|
return accessTokenResponseClient;
|
||||||
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
public RestTemplate restTemplate() {
|
public RestTemplate restTemplate() {
|
||||||
// ...
|
// ...
|
||||||
|
|
@ -1482,6 +1497,14 @@ class SecurityConfig {
|
||||||
return accessTokenResponseClient
|
return accessTokenResponseClient
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
fun tokenExchangeAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> {
|
||||||
|
val accessTokenResponseClient = DefaultTokenExchangeTokenResponseClient()
|
||||||
|
accessTokenResponseClient.setRestOperations(restTemplate())
|
||||||
|
|
||||||
|
return accessTokenResponseClient
|
||||||
|
}
|
||||||
|
|
||||||
@Bean
|
@Bean
|
||||||
fun restTemplate(): RestTemplate {
|
fun restTemplate(): RestTemplate {
|
||||||
// ...
|
// ...
|
||||||
|
|
@ -1561,6 +1584,14 @@ public class SecurityConfig {
|
||||||
new JwtBearerOAuth2AuthorizedClientProvider();
|
new JwtBearerOAuth2AuthorizedClientProvider();
|
||||||
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerAccessTokenResponseClient);
|
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerAccessTokenResponseClient);
|
||||||
|
|
||||||
|
DefaultTokenExchangeTokenResponseClient tokenExchangeAccessTokenResponseClient =
|
||||||
|
new DefaultTokenExchangeTokenResponseClient();
|
||||||
|
tokenExchangeAccessTokenResponseClient.setRestOperations(restTemplate());
|
||||||
|
|
||||||
|
TokenExchangeOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
|
||||||
|
new TokenExchangeOAuth2AuthorizedClientProvider();
|
||||||
|
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeAccessTokenResponseClient);
|
||||||
|
|
||||||
OAuth2AuthorizedClientProvider authorizedClientProvider =
|
OAuth2AuthorizedClientProvider authorizedClientProvider =
|
||||||
OAuth2AuthorizedClientProviderBuilder.builder()
|
OAuth2AuthorizedClientProviderBuilder.builder()
|
||||||
.authorizationCode()
|
.authorizationCode()
|
||||||
|
|
@ -1574,6 +1605,7 @@ public class SecurityConfig {
|
||||||
.accessTokenResponseClient(passwordAccessTokenResponseClient)
|
.accessTokenResponseClient(passwordAccessTokenResponseClient)
|
||||||
)
|
)
|
||||||
.provider(jwtBearerAuthorizedClientProvider)
|
.provider(jwtBearerAuthorizedClientProvider)
|
||||||
|
.provider(tokenExchangeAuthorizedClientProvider)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
|
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
|
||||||
|
|
@ -1644,6 +1676,12 @@ class SecurityConfig {
|
||||||
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
|
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
|
||||||
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerAccessTokenResponseClient)
|
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerAccessTokenResponseClient)
|
||||||
|
|
||||||
|
val tokenExchangeAccessTokenResponseClient = DefaultTokenExchangeTokenResponseClient()
|
||||||
|
tokenExchangeAccessTokenResponseClient.setRestOperations(restTemplate())
|
||||||
|
|
||||||
|
val tokenExchangeAuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
|
||||||
|
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeAccessTokenResponseClient)
|
||||||
|
|
||||||
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
|
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
|
||||||
.authorizationCode()
|
.authorizationCode()
|
||||||
.refreshToken { refreshToken ->
|
.refreshToken { refreshToken ->
|
||||||
|
|
@ -1656,6 +1694,7 @@ class SecurityConfig {
|
||||||
password.accessTokenResponseClient(passwordAccessTokenResponseClient)
|
password.accessTokenResponseClient(passwordAccessTokenResponseClient)
|
||||||
}
|
}
|
||||||
.provider(jwtBearerAuthorizedClientProvider)
|
.provider(jwtBearerAuthorizedClientProvider)
|
||||||
|
.provider(tokenExchangeAuthorizedClientProvider)
|
||||||
.build()
|
.build()
|
||||||
|
|
||||||
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
|
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue