Authorization Grant Support
Authorization Code
|
有关 Authorization Code 授权的更多详细信息,请参考 OAuth 2.0 授权框架。 |
Obtaining Authorization
|
有关授权码授权的 Authorization Request/Response 协议流,请参考。 |
Initiating the Authorization Request
OAuth2AuthorizationRequestRedirectWebFilter 使用 ServerOAuth2AuthorizationRequestResolver 解析 OAuth2AuthorizationRequest 并通过将最终用户用户代理重定向到授权服务器授权端点来启动授权码许可流程。
ServerOAuth2AuthorizationRequestResolver 的主要角色是从提供的 Web 请求中解析一个 OAuth2AuthorizationRequest。默认实现 DefaultServerOAuth2AuthorizationRequestResolver 匹配(默认)路径 /oauth2/authorization/{registrationId},提取 registrationId 并使用它为关联的 ClientRegistration 构建 OAuth2AuthorizationRequest。
给定 OAuth 2.0 客户端注册的以下 Spring Boot 2.x 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token具有基本路径 /oauth2/authorization/okta 的请求将通过 OAuth2AuthorizationRequestRedirectWebFilter 启动授权请求重定向,并最终启动授权码许可流程。
|
|
如果 OAuth 2.0 客户端是 Public Client,则按如下配置 OAuth 2.0 客户端注册:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
...公共客户端使用 Proof Key for Code Exchange(PKCE)提供支持。如果客户端在不可信环境中运行(例如,本地应用程序或基于 Web 浏览器的应用程序),因此无法维持其证书的机密性,则当满足以下条件时将自动使用 PKCE:
-
client-secret被省略(或为空) -
client-authentication-method`被设置为 "none" (`ClientAuthenticationMethod.NONE)
|
如果 OAuth 2.0 提供程序支持 Confidential Clients 的 PKCE,您可以(可选)使用 |
DefaultServerOAuth2AuthorizationRequestResolver 可使用 UriComponentsBuilder 也支持 redirect-uri 的 URI 模板变量。
以下配置使用所有受支持的 URI 模板变量:
spring:
security:
oauth2:
client:
registration:
okta:
...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
...|
|
使用 URI 模板变量配置 redirect-uri 在 OAuth 2.0 Client 在 Proxy Server 后面运行时尤为有用。这样可确保在扩展 redirect-uri 时使用 X-Forwarded-* 头部。
Customizing the Authorization Request
ServerOAuth2AuthorizationRequestResolver 可以实现的主要用例之一是能够使用 OAuth 2.0 授权框架中定义的标准参数之上的其他参数自定义授权请求。
例如,OpenID Connect 为 Authorization Code Flow 定义额外的 OAuth 2.0 请求参数,该请求参数从 OAuth 2.0 Authorization Framework 中定义的标准参数扩展而来。这些扩展参数之一是 prompt 参数。
|
可选的。用空格分隔,区分大小写的 ASCII 字符串值列表,用于指定授权服务器是否提示最终用户重新进行身份验证并同意。定义的值为: 无、登录、同意、选择账户 |
以下示例演示了如何使用 Consumer<OAuth2AuthorizationRequest.Builder> 配置 DefaultServerOAuth2AuthorizationRequestResolver,该 Consumer<OAuth2AuthorizationRequest.Builder> 通过包含请求参数 prompt=consent 来自定义 oauth2Login() 的授权请求。
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorize -> authorize
.anyExchange().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
ReactiveClientRegistrationRepository clientRegistrationRepository) {
DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository);
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters(params -> params.put("prompt", "consent"));
}
}@Configuration
@EnableWebFluxSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
return http.build()
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository)
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}对于简单的用例,如果附加请求参数对于特定提供程序始终相同,则可以将其直接添加到 authorization-uri 属性中。
例如,如果请求参数 prompt 的值对于提供程序 okta 始终为 consent,则只需照如下进行配置:
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent上述示例演示了在标准参数之上添加自定义参数的常见用例。或者,如果您的要求更高级,您可以通过简单地覆盖 OAuth2AuthorizationRequest.authorizationRequestUri 属性来完全控制生成授权请求 URI。
|
|
以下示例演示了上一示例中 authorizationRequestCustomizer() 的一个变体,并且覆盖了 OAuth2AuthorizationRequest.authorizationRequestUri 属性。
-
Java
-
Kotlin
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri(uriBuilder -> uriBuilder
.queryParam("prompt", "consent").build());
}private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}Storing the Authorization Request
ServerAuthorizationRequestRepository 负责从发起授权请求到收到授权响应(回调)这段时间的 OAuth2AuthorizationRequest 的持久性。
|
|
ServerAuthorizationRequestRepository 的默认实现是 WebSessionOAuth2ServerAuthorizationRequestRepository,它将 OAuth2AuthorizationRequest 存储在 WebSession 中。
如果您有 ServerAuthorizationRequestRepository 的自定义实现,则可以按以下示例所示进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authorizationRequestRepository(this.authorizationRequestRepository())
...
);
return http.build();
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authorizationRequestRepository = authorizationRequestRepository()
}
}
return http.build()
}
}Requesting an Access Token
|
有关授权码授权的 Access Token Request/Response 协议流,请参考。 |
用于授权代码授予的 ReactiveOAuth2AccessTokenResponseClient 的默认实现是 WebClientReactiveAuthorizationCodeTokenResponseClient,它使用 WebClient 在授权服务器令牌端点处将授权代码兑换为访问令牌。
WebClientReactiveAuthorizationCodeTokenResponseClient 非常灵活,因为它允许您自定义令牌请求的预处理和/或令牌响应的后处理。
Customizing the Access Token Request
如果您需要自定义令牌请求的预处理,可以使用自定义的 Converter<OAuth2AuthorizationCodeGrantRequest, MultiValueMap<String, String>>`向 `WebClientReactiveAuthorizationCodeTokenResponseClient.setParametersConverter()`提供支持。默认实现构建 `MultiValueMap<String, String>,其中仅包含标准 OAuth 2.0 Access Token Request的 grant_type`参数,该参数用于构建请求。授权代码授予所需的其它参数由 `WebClientReactiveAuthorizationCodeTokenResponseClient`直接添加到请求正文中。不过,提供自定义的 `Converter,这能让您扩展标准令牌请求并添加自定义参数。
|
如果你只想添加其他参数,则可以用带有自定义 |
自定义 Converter 必须返回目标 OAuth 2.0 提供程序可理解的 OAuth 2.0 访问令牌请求的有效参数。
Customizing the Access Token Response
另一方面,如果您需要自定义令牌响应的后处理,则需要为 WebClientReactiveAuthorizationCodeTokenResponseClient.setBodyExtractor() 提供使用自定义配置的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,该 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage> 用于将 OAuth 2.0 访问令牌响应转换为 OAuth2AccessTokenResponse。由 OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的默认实现会解析响应并相应地处理错误。
Customizing the WebClient
或者,如果您的要求更高级,您可以通过简单地为 WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient() 提供使用自定义配置的 WebClient 来完全控制请求/响应。
无论是自定义 WebClientReactiveAuthorizationCodeTokenResponseClient 还是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 实现,您都需要按以下示例所示进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authenticationManager(this.authorizationCodeAuthenticationManager())
...
);
return http.build();
}
private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
...
return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authenticationManager = authorizationCodeAuthenticationManager()
}
}
return http.build()
}
private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
...
return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
}
}Refresh Token
|
有关 Refresh Token 的更多详细信息,请参考 OAuth 2.0 授权框架。 |
Refreshing an Access Token
|
有关刷新令牌授权的 Access Token Request/Response 协议流,请参考。 |
用于刷新令牌授予的 ReactiveOAuth2AccessTokenResponseClient 的默认实现是 WebClientReactiveRefreshTokenTokenResponseClient,它在授权服务器令牌端点处刷新访问令牌时使用 WebClient。
WebClientReactiveRefreshTokenTokenResponseClient 非常灵活,因为它允许您自定义令牌请求的预处理和/或令牌响应的后处理。
Customizing the Access Token Request
如果您需要自定义令牌请求的预处理,可以使用自定义的 Converter<OAuth2RefreshTokenGrantRequest, MultiValueMap<String, String>>`向 `WebClientReactiveRefreshTokenTokenResponseClient.setParametersConverter()`提供支持。默认实现构建 `MultiValueMap<String, String>,其中仅包含标准 OAuth 2.0 Access Token Request的 grant_type`参数,该参数用于构建请求。刷新令牌授予所需的其它参数由 `WebClientReactiveRefreshTokenTokenResponseClient`直接添加到请求正文中。不过,提供自定义的 `Converter,这能让您扩展标准令牌请求并添加自定义参数。
|
如果你只想添加其他参数,则可以用带有自定义 |
自定义 Converter 必须返回目标 OAuth 2.0 提供程序可理解的 OAuth 2.0 访问令牌请求的有效参数。
Customizing the Access Token Response
另一方面,如果您需要自定义令牌响应的后处理,您将需要为 WebClientReactiveRefreshTokenTokenResponseClient.setBodyExtractor() 提供使用 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage> 自定义配置,它用于转换 OAuth 2.0 访问令牌响应到 OAuth2AccessTokenResponse。由 OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的默认实现解析响应并相应地处理错误。
Customizing the WebClient
或者,如果您有更高级的需求,您可以通过简单地为 WebClientReactiveRefreshTokenTokenResponseClient.setWebClient() 提供使用 WebClient 自定义配置来完全控制请求/响应。
无论您是自定义 WebClientReactiveRefreshTokenTokenResponseClient 还是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 的实现,都需要按照以下示例进行配置。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken(configurer -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
对于 authorization_code 和 password 授权类型,可以在访问令牌响应中选择性返回 OAuth2RefreshToken。如果 OAuth2AuthorizedClient.getRefreshToken() 可用且 OAuth2AuthorizedClient.getAccessToken() 已过期,它将由 RefreshTokenReactiveOAuth2AuthorizedClientProvider 自动刷新。
Client Credentials
|
请参阅 OAuth 2.0 授权框架,进一步了解 Client Credentials 授权。 |
Requesting an Access Token
|
有关客户端凭据授权的 Access Token Request/Response 协议流,请参考。 |
用于客户端凭据授权的 ReactiveOAuth2AccessTokenResponseClient 的默认实现是 WebClientReactiveClientCredentialsTokenResponseClient,它在授权服务器的令牌端点请求访问令牌时使用 WebClient。
WebClientReactiveClientCredentialsTokenResponseClient 非常灵活,因为它允许您自定义令牌请求的预处理和/或令牌响应的后处理。
Customizing the Access Token Request
如果您需要自定义令牌请求的预处理,可以使用自定义的 Converter<OAuth2ClientCredentialsGrantRequest, MultiValueMap<String, String>>`向 `WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter()`提供支持。默认实现构建 `MultiValueMap<String, String>,其中仅包含标准 OAuth 2.0 Access Token Request的 grant_type`参数,该参数用于构建请求。客户端凭据授予所需的其它参数由 `WebClientReactiveClientCredentialsTokenResponseClient`直接添加到请求正文中。不过,提供自定义的 `Converter,这能让您扩展标准令牌请求并添加自定义参数。
|
如果您只想添加其他参数,您可以向 |
自定义 Converter 必须返回目标 OAuth 2.0 提供程序可理解的 OAuth 2.0 访问令牌请求的有效参数。
Customizing the Access Token Response
另一方面,如果您需要自定义令牌响应的后处理,您将需要为 WebClientReactiveClientCredentialsTokenResponseClient.setBodyExtractor() 提供使用 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage> 自定义配置,它用于转换 OAuth 2.0 访问令牌响应到 OAuth2AccessTokenResponse。由 OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的默认实现解析响应并相应地处理错误。
Customizing the WebClient
或者,如果您有更高级的需求,您可以通过简单地为 WebClientReactiveClientCredentialsTokenResponseClient.setWebClient() 提供使用 WebClient 自定义配置来完全控制请求/响应。
无论您自定义 WebClientReactiveClientCredentialsTokenResponseClient 还是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 的实现,都需要按照以下示例进行配置。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
Using the Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 2.x 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…以及 ReactiveOAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}可按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
...
.thenReturn("index");
}
}class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
...
.thenReturn("index")
}
}|
|
Resource Owner Password Credentials
|
有关 Resource Owner Password Credentials 授权的更多详细信息,请参考 OAuth 2.0 授权框架。 |
Requesting an Access Token
|
有关资源拥有者密码凭据授权的 Access Token Request/Response 协议流,请参考。 |
用于资源所有者密码凭据授权的 ReactiveOAuth2AccessTokenResponseClient 的默认实现是 WebClientReactivePasswordTokenResponseClient,它在授权服务器的令牌端点请求访问令牌时使用 WebClient。
WebClientReactivePasswordTokenResponseClient 非常灵活,因为它允许您自定义令牌请求的预处理和/或令牌响应的后处理。
Customizing the Access Token Request
如果您需要自定义令牌请求的预处理,可以使用自定义的 Converter<OAuth2PasswordGrantRequest, MultiValueMap<String, String>>`向 `WebClientReactivePasswordTokenResponseClient.setParametersConverter()`提供支持。默认实现构建 `MultiValueMap<String, String>,其中仅包含标准 OAuth 2.0 Access Token Request的 grant_type`参数,该参数用于构建请求。资源所有者密码凭据授予所需的其它参数由 `WebClientReactivePasswordTokenResponseClient`直接添加到请求正文中。不过,提供自定义的 `Converter,这能让您扩展标准令牌请求并添加自定义参数。
|
如果您只想添加其他参数,您可以向 |
自定义 Converter 必须返回目标 OAuth 2.0 提供程序可理解的 OAuth 2.0 访问令牌请求的有效参数。
Customizing the Access Token Response
另一方面,如果您需要自定义令牌响应的后处理,您将需要为 WebClientReactivePasswordTokenResponseClient.setBodyExtractor() 提供使用 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage> 自定义配置,它用于转换 OAuth 2.0 访问令牌响应到 OAuth2AccessTokenResponse。由 OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的默认实现解析响应并相应地处理错误。
Customizing the WebClient
或者,如果您有更高级的需求,您可以通过简单地为 WebClientReactivePasswordTokenResponseClient.setWebClient() 提供使用 WebClient 自定义配置来完全控制请求/响应。
无论您自定义 WebClientReactivePasswordTokenResponseClient 还是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 的实现,都需要按照以下示例进行配置。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> passwordTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password(configurer -> configurer.accessTokenResponseClient(passwordTokenResponseClient))
.refreshToken()
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);val passwordTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> = ...
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password { it.accessTokenResponseClient(passwordTokenResponseClient) }
.refreshToken()
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
Using the Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 2.x 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: password
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…以及 ReactiveOAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
ServerHttpRequest request = exchange.getRequest();
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return Mono.just(contextAttributes);
};
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
val request: ServerHttpRequest = exchange.request
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
}
Mono.just(contextAttributes)
}
}可按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
...
.thenReturn("index")
}
}|
|
JWT Bearer
|
请参阅 JSON Web Token (JWT) OAuth 2.0 客户端认证和认证授予简介以详细了解 JWT Bearer 授权。 |
Requesting an Access Token
|
请参阅 Access Token Request/Response 协议流程以了解 JWT 持有者授权。 |
用于 JWT Bearer 授权的 ReactiveOAuth2AccessTokenResponseClient 的默认实现是 WebClientReactiveJwtBearerTokenResponseClient,它在授权服务器的令牌端点请求访问令牌时使用 WebClient。
WebClientReactiveJwtBearerTokenResponseClient 非常灵活,因为它允许您自定义令牌请求的预处理和/或令牌响应的后处理。
Customizing the Access Token Request
如果您需要自定义令牌请求的预处理,可以使用自定义的 Converter<JwtBearerGrantRequest, MultiValueMap<String, String>>`向 `WebClientReactiveJwtBearerTokenResponseClient.setParametersConverter()`提供支持。默认实现构建 `MultiValueMap<String, String>,其中仅包含标准 OAuth 2.0 Access Token Request的 grant_type`参数,该参数用于构建请求。JWT 持有者授予所需的其它参数由 `WebClientReactiveJwtBearerTokenResponseClient`直接添加到请求正文中。不过,提供自定义的 `Converter,这能让您扩展标准令牌请求并添加自定义参数。
|
如果您只想添加其他参数,您可以向 |
自定义 Converter 必须返回目标 OAuth 2.0 提供程序可理解的 OAuth 2.0 访问令牌请求的有效参数。
Customizing the Access Token Response
另一方面,如果您需要定制令牌响应的后处理,您需要向 WebClientReactiveJwtBearerTokenResponseClient.setBodyExtractor() 提供一个定制配置的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,该配置用于将 OAuth 2.0 访问令牌响应转换为 OAuth2AccessTokenResponse。默认实现由 OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供,解析响应并相应地处理错误。
Customizing the WebClient
或者,如果您的要求更高级,您可以通过简单地向 WebClientReactiveJwtBearerTokenResponseClient.setWebClient() 提供一个定制配置的 WebClient 来完全控制请求/响应。
无论您是要定制 WebClientReactiveJwtBearerTokenResponseClient 还是提供自己实现的 ReactiveOAuth2AccessTokenResponseClient,您都需要按以下示例所示进行配置:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)Using the Access Token
给定 OAuth 2.0 客户端注册的以下 Spring Boot 2.x 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token…和 OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}可按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
...
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
...
}
}|
|
|
如果您需要从不同来源解析 |