|
此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.4.1! |
授权授予支持
本节描述了 Spring Security 对授权授予的支持。
授权码
|
请参阅 OAuth 2.0 授权框架,了解有关授权码授予的更多详细信息。 |
获取授权
|
请参阅授权请求/响应协议流程,了解授权码授予。 |
发起授权请求
这OAuth2AuthorizationRequestRedirectWebFilter使用ServerOAuth2AuthorizationRequestResolver要解析OAuth2AuthorizationRequest并通过将最终用户的用户代理重定向到授权服务器的授权端点来启动授权代码授予流程。
主要角色ServerOAuth2AuthorizationRequestResolver是解析OAuth2AuthorizationRequest从提供的 Web 请求。
默认实现DefaultServerOAuth2AuthorizationRequestResolver(默认)路径上的 matches/oauth2/authorization/{registrationId}提取registrationId并使用它来构建OAuth2AuthorizationRequest对于关联的ClientRegistration.
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token具有基本路径的请求/oauth2/authorization/okta将启动 Authorization Request 重定向OAuth2AuthorizationRequestRedirectWebFilter并最终启动授权代码授予流程。
|
这 |
如果 OAuth 2.0 客户端是公共客户端,则按如下方式配置 OAuth 2.0 客户端注册:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
# ...支持使用代码交换证明密钥 (PKCE) 的公共客户端。 如果客户端在不受信任的环境中运行(例如,本机应用程序或基于 Web 浏览器的应用程序),因此无法维护其凭据的机密性,则当满足以下条件时,将自动使用 PKCE:
-
client-secret被省略(或为空) -
client-authentication-method设置为 “none” (ClientAuthenticationMethod.NONE)
|
如果 OAuth 2.0 提供者支持机密客户端的 PKCE,您可以(可选)使用 |
以下配置使用所有支持的URI模板变量:
spring:
security:
oauth2:
client:
registration:
okta:
# ...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
# ...|
|
配置redirect-uri跟URI当 OAuth 2.0 客户端在 Proxy Server 后面运行时,模板变量特别有用。
这可确保X-Forwarded-*扩展redirect-uri.
自定义授权请求
主要用例之一是ServerOAuth2AuthorizationRequestResolver可以实现的是能够使用高于 OAuth 2.0 授权框架中定义的标准参数的其他参数自定义授权请求。
例如,OpenID Connect 为授权代码流定义了其他 OAuth 2.0 请求参数,该请求参数从 OAuth 2.0 授权框架中定义的标准参数扩展而来。
其中一个扩展参数是prompt参数。
|
这 |
以下示例显示如何配置DefaultServerOAuth2AuthorizationRequestResolver替换为Consumer<OAuth2AuthorizationRequest.Builder>自定义oauth2Login(),通过包含 request 参数prompt=consent.
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorize -> authorize
.anyExchange().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
ReactiveClientRegistrationRepository clientRegistrationRepository) {
DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository);
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters(params -> params.put("prompt", "consent"));
}
}@Configuration
@EnableWebFluxSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
return http.build()
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository)
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}对于简单的用例,其中特定提供商的附加请求参数始终相同,可以直接将其添加到authorization-uri财产。
例如,如果 request 参数prompt总是consent对于提供商okta,而不是简单地配置如下:
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent前面的示例显示了在标准参数之上添加自定义参数的常见使用案例。
或者,如果您的要求更高级,则只需覆盖OAuth2AuthorizationRequest.authorizationRequestUri财产。
|
|
以下示例显示了authorizationRequestCustomizer(),而是覆盖OAuth2AuthorizationRequest.authorizationRequestUri财产。
-
Java
-
Kotlin
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri(uriBuilder -> uriBuilder
.queryParam("prompt", "consent").build());
}private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}存储授权请求
这ServerAuthorizationRequestRepository负责OAuth2AuthorizationRequest从发起授权请求到收到授权响应(回调)的时间。
|
这 |
的默认实现ServerAuthorizationRequestRepository是WebSessionOAuth2ServerAuthorizationRequestRepository,它将OAuth2AuthorizationRequest在WebSession.
如果您有ServerAuthorizationRequestRepository,您可以按照以下示例所示对其进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
);
return http.build();
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authorizationRequestRepository = authorizationRequestRepository()
}
}
return http.build()
}
}申请 Access Token
|
请参阅访问令牌请求/响应协议流程,了解授权码的授予。 |
的默认实现ReactiveOAuth2AccessTokenResponseClient的授权码 grant 为WebClientReactiveAuthorizationCodeTokenResponseClient,它使用WebClient用于在 Authorization Server 的令牌端点上将授权码交换为访问令牌。
自定义WebClientReactiveAuthorizationCodeTokenResponseClient,只需提供一个 bean,如下例所示,它将被默认选取ReactiveOAuth2AuthorizedClientManager自然而然:
WebClientReactiveAuthorizationCodeTokenResponseClient非常灵活,并提供了多个选项来自定义授权码授予的 OAuth 2.0 访问令牌请求和响应。
从以下使用案例中进行选择以了解更多信息:
自定义 Access Token 请求
WebClientReactiveAuthorizationCodeTokenResponseClient提供 hook 用于自定义 Token Request 的 HTTP 头和请求参数。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例添加了一个User-Agent标头添加到请求中时,registrationId是spring:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用来完全自定义标头DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials,以便 HTTP Basic 凭证不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三个选项可用于自定义请求参数:
-
通过调用
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中时,registrationId是keycloak:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用setParametersConverter().
以下示例将client_id参数,当registrationId是okta:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问令牌响应
WebClientReactiveAuthorizationCodeTokenResponseClient提供用于自定义 OAuth 2.0 访问令牌响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数到OAuth2AccessTokenResponse通过调用setBodyExtractor().
由OAuth2BodyExtractors.oauth2AccessTokenResponse()解析响应并相应地处理错误。
以下示例提供了自定义 Token Response 参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义 |
自定义WebClient
或者,如果您的要求更高级,您可以通过提供预配置的WebClient自setWebClient()如下例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 DSL 进行自定义
无论您是否自定义WebClientReactiveAuthorizationCodeTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient,你可以使用 DSL 对其进行配置(作为发布 bean 的替代方法),如以下示例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authenticationManager(this.authorizationCodeAuthenticationManager())
// ...
);
return http.build();
}
private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
// ...
return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authenticationManager = authorizationCodeAuthenticationManager()
}
}
return http.build()
}
private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
// ...
return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
}
}刷新令牌
|
请参阅 OAuth 2.0 授权框架,了解有关刷新令牌的更多详细信息。 |
刷新 Access Token
|
请参阅访问令牌请求/响应协议流程,了解刷新令牌授予。 |
的默认实现ReactiveOAuth2AccessTokenResponseClient的 Refresh Token grant 为WebClientReactiveRefreshTokenTokenResponseClient,它使用WebClient在 Authorization Server 的令牌端点刷新访问令牌时。
自定义WebClientReactiveRefreshTokenTokenResponseClient,只需提供一个 bean,如下例所示,它将被默认选取ReactiveOAuth2AuthorizedClientManager自然而然:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient() {
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Refresh Token> {
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveRefreshTokenTokenResponseClient非常灵活,并提供了多个选项来自定义 OAuth 2.0 访问令牌请求和刷新令牌授予的响应。
从以下使用案例中进行选择以了解更多信息:
自定义 Access Token 请求
WebClientReactiveRefreshTokenTokenResponseClient提供 hook 用于自定义 Token Request 的 HTTP 头和请求参数。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例添加了一个User-Agent标头添加到请求中时,registrationId是spring:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用来完全自定义标头DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials,以便 HTTP Basic 凭证不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三个选项可用于自定义请求参数:
-
通过调用
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中时,registrationId是keycloak:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用setParametersConverter().
以下示例将client_id参数,当registrationId是okta:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问令牌响应
WebClientReactiveRefreshTokenTokenResponseClient提供用于自定义 OAuth 2.0 访问令牌响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数到OAuth2AccessTokenResponse通过调用setBodyExtractor().
由OAuth2BodyExtractors.oauth2AccessTokenResponse()解析响应并相应地处理错误。
以下示例提供了自定义 Token Response 参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义 |
自定义WebClient
或者,如果您的要求更高级,您可以通过提供预配置的WebClient自setWebClient()如下例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 进行自定义
无论您是否自定义WebClientReactiveRefreshTokenTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder(作为发布 bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken(configurer -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
这OAuth2RefreshToken可以选择在 Access Token Response 中返回authorization_code和password授权类型。
如果OAuth2AuthorizedClient.getRefreshToken()可用,并且OAuth2AuthorizedClient.getAccessToken()已过期,则会自动由RefreshTokenReactiveOAuth2AuthorizedClientProvider.
客户端凭证
|
请参阅 OAuth 2.0 授权框架,了解有关客户端凭证授予的更多详细信息。 |
申请 Access Token
|
请参阅访问令牌请求/响应协议流程,了解客户端凭证授予。 |
的默认实现ReactiveOAuth2AccessTokenResponseClient对于 Client Credentials (客户端凭证) 授予为WebClientReactiveClientCredentialsTokenResponseClient,它使用WebClient在 Authorization Server 的令牌端点请求访问令牌时。
自定义WebClientReactiveClientCredentialsTokenResponseClient,只需提供一个 bean,如下例所示,它将被默认选取ReactiveOAuth2AuthorizedClientManager自然而然:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient() {
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Client Credentials> {
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveClientCredentialsTokenResponseClient非常灵活,并提供了多个选项来自定义客户端凭证授予的 OAuth 2.0 访问令牌请求和响应。
从以下使用案例中进行选择以了解更多信息:
自定义 Access Token 请求
WebClientReactiveClientCredentialsTokenResponseClient提供 hook 用于自定义 Token Request 的 HTTP 头和请求参数。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例添加了一个User-Agent标头添加到请求中时,registrationId是spring:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用来完全自定义标头DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials,以便 HTTP Basic 凭证不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三个选项可用于自定义请求参数:
-
通过调用
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中时,registrationId是keycloak:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用setParametersConverter().
以下示例将client_id参数,当registrationId是okta:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问令牌响应
WebClientReactiveClientCredentialsTokenResponseClient提供用于自定义 OAuth 2.0 访问令牌响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数到OAuth2AccessTokenResponse通过调用setBodyExtractor().
由OAuth2BodyExtractors.oauth2AccessTokenResponse()解析响应并相应地处理错误。
以下示例提供了自定义 Token Response 参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义 |
自定义WebClient
或者,如果您的要求更高级,您可以通过提供预配置的WebClient自setWebClient()如下例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 进行自定义
无论您是否自定义WebClientReactiveClientCredentialsTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder(作为发布 bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用 Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和ReactiveOAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以获取OAuth2AccessToken如下:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
资源所有者密码凭证
|
请参阅 OAuth 2.0 授权框架,了解有关资源所有者密码凭证授予的更多详细信息。 |
申请 Access Token
|
请参阅访问令牌请求/响应协议流程,了解资源所有者密码凭证授予。 |
的默认实现ReactiveOAuth2AccessTokenResponseClient对于 Resource Owner Password Credentials,grant 为WebClientReactivePasswordTokenResponseClient,它使用WebClient在 Authorization Server 的令牌端点请求访问令牌时。
|
这 |
自定义WebClientReactivePasswordTokenResponseClient,只需提供一个 bean,如下例所示,它将被默认选取ReactiveOAuth2AuthorizedClientManager自然而然:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient() {
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Password> {
val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactivePasswordTokenResponseClient非常灵活,并提供了多个选项来自定义 OAuth 2.0 访问令牌请求和密码授予的响应。
从以下使用案例中进行选择以了解更多信息:
自定义 Access Token 请求
WebClientReactivePasswordTokenResponseClient提供 hook 用于自定义 Token Request 的 HTTP 头和请求参数。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例添加了一个User-Agent标头添加到请求中时,registrationId是spring:
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用来完全自定义标头DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials,以便 HTTP Basic 凭证不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三个选项可用于自定义请求参数:
-
通过调用
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中时,registrationId是keycloak:
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用setParametersConverter().
以下示例将client_id参数,当registrationId是okta:
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数:
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问令牌响应
WebClientReactivePasswordTokenResponseClient提供用于自定义 OAuth 2.0 访问令牌响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数到OAuth2AccessTokenResponse通过调用setBodyExtractor().
由OAuth2BodyExtractors.oauth2AccessTokenResponse()解析响应并相应地处理错误。
以下示例提供了自定义 Token Response 参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义 |
自定义WebClient
或者,如果您的要求更高级,您可以通过提供预配置的WebClient自setWebClient()如下例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 进行自定义
无论您是否自定义WebClientReactivePasswordTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder(作为发布 bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> passwordTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password(configurer -> configurer.accessTokenResponseClient(passwordTokenResponseClient))
.refreshToken()
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);val passwordTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> = ...
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password { it.accessTokenResponseClient(passwordTokenResponseClient) }
.refreshToken()
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用 Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: password
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和ReactiveOAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
ServerHttpRequest request = exchange.getRequest();
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return Mono.just(contextAttributes);
};
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
val request: ServerHttpRequest = exchange.request
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
}
Mono.just(contextAttributes)
}
}您可以获取OAuth2AccessToken如下:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
JWT 持有者
|
有关 JWT 不记名授权的更多详细信息,请参阅 OAuth 2.0 客户端身份验证和授权的 JSON Web 令牌 (JWT) 配置文件。 |
申请 Access Token
|
请参阅 JWT Bearer 授权的访问令牌请求/响应协议流程。 |
的默认实现ReactiveOAuth2AccessTokenResponseClient对于 JWT Bearer 授权为WebClientReactiveJwtBearerTokenResponseClient,它使用WebClient在 Authorization Server 的令牌端点请求访问令牌时。
自定义WebClientReactiveJwtBearerTokenResponseClient,只需提供一个 bean,如下例所示,它将被默认选取ReactiveOAuth2AuthorizedClientManager自然而然:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient() {
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<JWT Bearer> {
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveJwtBearerTokenResponseClient非常灵活,并提供了多个选项,用于自定义 JWT Bearer 授权的 OAuth 2.0 访问令牌请求和响应。
从以下使用案例中进行选择以了解更多信息:
自定义 Access Token 请求
WebClientReactiveJwtBearerTokenResponseClient提供 hook 用于自定义 Token Request 的 HTTP 头和请求参数。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例添加了一个User-Agent标头添加到请求中时,registrationId是spring:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用来完全自定义标头DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials,以便 HTTP Basic 凭证不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三个选项可用于自定义请求参数:
-
通过调用
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中时,registrationId是keycloak:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用setParametersConverter().
以下示例将client_id参数,当registrationId是okta:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问令牌响应
WebClientReactiveJwtBearerTokenResponseClient提供用于自定义 OAuth 2.0 访问令牌响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数到OAuth2AccessTokenResponse通过调用setBodyExtractor().
由OAuth2BodyExtractors.oauth2AccessTokenResponse()解析响应并相应地处理错误。
以下示例提供了自定义 Token Response 参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义 |
自定义WebClient
或者,如果您的要求更高级,您可以通过提供预配置的WebClient自setWebClient()如下例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 进行自定义
无论您是否自定义WebClientReactiveJwtBearerTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder(作为发布 bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用 Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以获取OAuth2AccessToken如下:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
|
如果您需要解决 |
代币兑换
|
请参阅 OAuth 2.0 Token Exchange,了解有关 Token Exchange 授权的更多详细信息。 |
申请 Access Token
|
请参阅 Token Exchange 请求和响应协议流程,了解 Token Exchange 授权。 |
的默认实现ReactiveOAuth2AccessTokenResponseClient对于 Token Exchange 授权为WebClientReactiveTokenExchangeTokenResponseClient,它使用WebClient在 Authorization Server 的令牌端点请求访问令牌时。
自定义WebClientReactiveTokenExchangeTokenResponseClient,只需提供一个 bean,如下例所示,它将被默认选取ReactiveOAuth2AuthorizedClientManager自然而然:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient() {
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Token Exchange> {
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveTokenExchangeTokenResponseClient非常灵活,并提供了多个选项来自定义 Token Exchange 授权的 OAuth 2.0 Access Token 请求和响应。
从以下使用案例中进行选择以了解更多信息:
自定义 Access Token 请求
WebClientReactiveTokenExchangeTokenResponseClient提供 hook 用于自定义 Token Request 的 HTTP 头和请求参数。
自定义请求标头
自定义 HTTP 标头有两个选项:
-
通过调用
addHeadersConverter() -
通过调用
setHeadersConverter()
您可以包含其他标头,而不会影响使用addHeadersConverter().
以下示例添加了一个User-Agent标头添加到请求中时,registrationId是spring:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以通过重复使用来完全自定义标头DefaultOAuth2TokenRequestHeadersConverter或使用setHeadersConverter().
以下示例重用DefaultOAuth2TokenRequestHeadersConverter并禁用encodeClientCredentials,以便 HTTP Basic 凭证不再使用application/x-www-form-urlencoded:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三个选项可用于自定义请求参数:
-
通过调用
addParametersConverter() -
通过调用
setParametersConverter() -
通过调用
setParametersCustomizer()
|
用 |
您可以包含其他参数,而不会影响使用addParametersConverter().
以下示例添加了一个audience参数添加到请求中时,registrationId是keycloak:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用setParametersConverter().
以下示例将client_id参数,当registrationId是okta:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用setParametersCustomizer().
以下示例省略了client_id参数,当client_assertion参数:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问令牌响应
WebClientReactiveTokenExchangeTokenResponseClient提供用于自定义 OAuth 2.0 访问令牌响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数到OAuth2AccessTokenResponse通过调用setBodyExtractor().
由OAuth2BodyExtractors.oauth2AccessTokenResponse()解析响应并相应地处理错误。
以下示例提供了自定义 Token Response 参数转换为OAuth2AccessTokenResponse:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义 |
自定义WebClient
或者,如果您的要求更高级,您可以通过提供预配置的WebClient自setWebClient()如下例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 进行自定义
无论您是否自定义WebClientReactiveTokenExchangeTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder(作为发布 bean 的替代方法),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...
TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val tokenExchangeTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...
val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用 Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以获取OAuth2AccessToken如下:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
|
如果需要从其他来源解析主题令牌,可以提供 |
|
如果需要解析 actor 令牌,可以提供 |