Steve Riesenberg
parent
22f84cf3f3
commit
be340a0085
|
|
@ -491,7 +491,7 @@ With the above configuration, the application now supports two additional endpoi
|
|||
====
|
||||
The presence of the `openid` scope in the above configuration indicates that OpenID Connect 1.0 should be used.
|
||||
This instructs Spring Security to use OIDC-specific components (such as `OidcUserService`) during request processing.
|
||||
Without this scope, Spring Security will use OAuth2-specific components (such as `OAuth2UserService`) instead.
|
||||
Without this scope, Spring Security will use OAuth2-specific components (such as `DefaultOAuth2UserService`) instead.
|
||||
====
|
||||
|
||||
[[oauth2-client-access-protected-resources]]
|
||||
|
|
@ -708,7 +708,7 @@ class MessagesController(private val webClient: WebClient) {
|
|||
.uri("http://localhost:8090/messages")
|
||||
.attributes(clientRegistrationId("my-oauth2-client"))
|
||||
.retrieve()
|
||||
.toEntityList(Message::class.java)
|
||||
.toEntityList<Message>()
|
||||
.block()!!
|
||||
}
|
||||
|
||||
|
|
@ -933,7 +933,7 @@ class MessagesController(private val webClient: WebClient) {
|
|||
return webClient.get()
|
||||
.uri("http://localhost:8090/messages")
|
||||
.retrieve()
|
||||
.toEntityList(Message::class.java)
|
||||
.toEntityList<Message>()
|
||||
.block()!!
|
||||
}
|
||||
|
||||
|
|
@ -953,7 +953,7 @@ This is because it can be derived from the currently logged in user.
|
|||
=== Enable an Extension Grant Type
|
||||
|
||||
A common use case involves enabling and/or configuring an extension grant type.
|
||||
For example, Spring Security provides support for the `jwt-bearer` grant type, but does not enable it by default because it is not part of the core OAuth 2.0 specification.
|
||||
For example, Spring Security provides support for the `jwt-bearer` and `token-exchange` grant types, but does not enable them by default because they are not part of the core OAuth 2.0 specification.
|
||||
|
||||
With Spring Security 6.2 and later, we can simply publish a bean for one or more `OAuth2AuthorizedClientProvider` and they will be picked up automatically.
|
||||
The following example simply enables the `jwt-bearer` grant type:
|
||||
|
|
@ -1356,12 +1356,18 @@ Spring Security automatically resolves the following generic types of `OAuth2Acc
|
|||
* `OAuth2ClientCredentialsGrantRequest` (see `DefaultClientCredentialsTokenResponseClient`)
|
||||
* `OAuth2PasswordGrantRequest` (see `DefaultPasswordTokenResponseClient`)
|
||||
* `JwtBearerGrantRequest` (see `DefaultJwtBearerTokenResponseClient`)
|
||||
* `TokenExchangeGrantRequest` (see `DefaultTokenExchangeTokenResponseClient`)
|
||||
|
||||
[TIP]
|
||||
====
|
||||
Publishing a bean of type `OAuth2AccessTokenResponseClient<JwtBearerGrantRequest>` will automatically enable the `jwt-bearer` grant type without the need to <<oauth2-client-enable-extension-grant-type,configure it separately>>.
|
||||
====
|
||||
|
||||
[TIP]
|
||||
====
|
||||
Publishing a bean of type `OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest>` will automatically enable the `token-exchange` grant type without the need to <<oauth2-client-enable-extension-grant-type,configure it separately>>.
|
||||
====
|
||||
|
||||
[[oauth2-client-customize-rest-operations]]
|
||||
=== Customize the `RestOperations` used by OAuth2 Client Components
|
||||
|
||||
|
|
@ -1427,6 +1433,15 @@ public class SecurityConfig {
|
|||
return accessTokenResponseClient;
|
||||
}
|
||||
|
||||
@Bean
|
||||
public OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeAccessTokenResponseClient() {
|
||||
DefaultTokenExchangeTokenResponseClient accessTokenResponseClient =
|
||||
new DefaultTokenExchangeTokenResponseClient();
|
||||
accessTokenResponseClient.setRestOperations(restTemplate());
|
||||
|
||||
return accessTokenResponseClient;
|
||||
}
|
||||
|
||||
@Bean
|
||||
public RestTemplate restTemplate() {
|
||||
// ...
|
||||
|
|
@ -1482,6 +1497,14 @@ class SecurityConfig {
|
|||
return accessTokenResponseClient
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun tokenExchangeAccessTokenResponseClient(): OAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> {
|
||||
val accessTokenResponseClient = DefaultTokenExchangeTokenResponseClient()
|
||||
accessTokenResponseClient.setRestOperations(restTemplate())
|
||||
|
||||
return accessTokenResponseClient
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun restTemplate(): RestTemplate {
|
||||
// ...
|
||||
|
|
@ -1561,6 +1584,14 @@ public class SecurityConfig {
|
|||
new JwtBearerOAuth2AuthorizedClientProvider();
|
||||
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerAccessTokenResponseClient);
|
||||
|
||||
DefaultTokenExchangeTokenResponseClient tokenExchangeAccessTokenResponseClient =
|
||||
new DefaultTokenExchangeTokenResponseClient();
|
||||
tokenExchangeAccessTokenResponseClient.setRestOperations(restTemplate());
|
||||
|
||||
TokenExchangeOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
|
||||
new TokenExchangeOAuth2AuthorizedClientProvider();
|
||||
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeAccessTokenResponseClient);
|
||||
|
||||
OAuth2AuthorizedClientProvider authorizedClientProvider =
|
||||
OAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.authorizationCode()
|
||||
|
|
@ -1574,6 +1605,7 @@ public class SecurityConfig {
|
|||
.accessTokenResponseClient(passwordAccessTokenResponseClient)
|
||||
)
|
||||
.provider(jwtBearerAuthorizedClientProvider)
|
||||
.provider(tokenExchangeAuthorizedClientProvider)
|
||||
.build();
|
||||
|
||||
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
|
||||
|
|
@ -1644,6 +1676,12 @@ class SecurityConfig {
|
|||
val jwtBearerAuthorizedClientProvider = JwtBearerOAuth2AuthorizedClientProvider()
|
||||
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerAccessTokenResponseClient)
|
||||
|
||||
val tokenExchangeAccessTokenResponseClient = DefaultTokenExchangeTokenResponseClient()
|
||||
tokenExchangeAccessTokenResponseClient.setRestOperations(restTemplate())
|
||||
|
||||
val tokenExchangeAuthorizedClientProvider = TokenExchangeOAuth2AuthorizedClientProvider()
|
||||
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeAccessTokenResponseClient)
|
||||
|
||||
val authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
|
||||
.authorizationCode()
|
||||
.refreshToken { refreshToken ->
|
||||
|
|
@ -1656,6 +1694,7 @@ class SecurityConfig {
|
|||
password.accessTokenResponseClient(passwordAccessTokenResponseClient)
|
||||
}
|
||||
.provider(jwtBearerAuthorizedClientProvider)
|
||||
.provider(tokenExchangeAuthorizedClientProvider)
|
||||
.build()
|
||||
|
||||
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager(
|
||||
|
|
|
|||
Loading…
Reference in New Issue