授權許可支援

本節描述 Spring Security 對授權許可的支援。

授權碼

有關授權碼許可的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

獲取授權

有關授權碼許可的授權請求/響應協議流程,請參閱。

發起授權請求

OAuth2AuthorizationRequestRedirectWebFilter 使用 ServerOAuth2AuthorizationRequestResolver 來解析 OAuth2AuthorizationRequest,並透過將終端使用者的使用者代理重定向到授權伺服器的授權端點來發起授權碼許可流程。

ServerOAuth2AuthorizationRequestResolver 的主要作用是從提供的 Web 請求中解析 OAuth2AuthorizationRequest。預設實現 DefaultServerOAuth2AuthorizationRequestResolver 匹配(預設)路徑 /oauth2/authorization/{registrationId},提取 registrationId 並使用它來為關聯的 ClientRegistration 構建 OAuth2AuthorizationRequest

給定以下 OAuth 2.0 客戶端註冊的 Spring Boot 屬性

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/authorized/okta"
            scope: read, write
        provider:
          okta:
            authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

包含基本路徑 /oauth2/authorization/okta 的請求將由 OAuth2AuthorizationRequestRedirectWebFilter 啟動授權請求重定向,並最終啟動授權碼許可流程。

AuthorizationCodeReactiveOAuth2AuthorizedClientProvider 是授權碼許可的 ReactiveOAuth2AuthorizedClientProvider 實現,它也透過 OAuth2AuthorizationRequestRedirectWebFilter 啟動授權請求重定向。

如果 OAuth 2.0 客戶端是公共客戶端,則配置 OAuth 2.0 客戶端註冊如下

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-authentication-method: none
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/authorized/okta"
            # ...

公共客戶端透過程式碼交換證明金鑰 (PKCE) 支援。如果客戶端在不受信任的環境中執行(例如,原生應用程式或基於 Web 瀏覽器的應用程式),因此無法維護其憑據的機密性,則在滿足以下條件時將自動使用 PKCE:

  1. client-secret 被省略(或為空)

  2. client-authentication-method 設定為 "none" (ClientAuthenticationMethod.NONE)

  1. ClientRegistration.clientSettings.requireProofKeytrue 時(在這種情況下,ClientRegistration.authorizationGrantType 必須是 authorization_code

如果 OAuth 2.0 提供者支援 PKCE 用於機密客戶端,您可以(可選地)使用 DefaultServerOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce()) 進行配置。

DefaultServerOAuth2AuthorizationRequestResolver 還支援使用 UriComponentsBuilderredirect-uri 配置 URI 模板變數。

以下配置使用所有支援的 URI 模板變數

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            # ...
            redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
            # ...

{baseUrl} 解析為 {baseScheme}://{baseHost}{basePort}{basePath}

當 OAuth 2.0 客戶端執行在代理伺服器後面時,使用 URI 模板變數配置 redirect-uri 尤其有用。這確保在展開 redirect-uri 時使用 X-Forwarded-* 標頭。

自定義授權請求

ServerOAuth2AuthorizationRequestResolver 的主要用例之一是能夠使用 OAuth 2.0 授權框架中定義的標準引數之外的附加引數來定製授權請求。

例如,OpenID Connect 為授權碼流定義了額外的 OAuth 2.0 請求引數,這些引數擴充套件自OAuth 2.0 授權框架中定義的標準引數。其中一個擴充套件引數是 prompt 引數。

prompt 引數是可選的。空格分隔的、區分大小寫的 ASCII 字串值列表,指定授權伺服器是否提示終端使用者重新認證和同意。定義的值有:noneloginconsentselect_account

以下示例展示瞭如何使用 Consumer<OAuth2AuthorizationRequest.Builder> 配置 DefaultServerOAuth2AuthorizationRequestResolver,該 Consumer 透過包含請求引數 prompt=consent 來定製 oauth2Login() 的授權請求。

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {

	@Autowired
	private ReactiveClientRegistrationRepository clientRegistrationRepository;

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.authorizeExchange((authorize) -> authorize
				.anyExchange().authenticated()
			)
			.oauth2Login((oauth2) -> oauth2
				.authorizationRequestResolver(
					authorizationRequestResolver(this.clientRegistrationRepository)
				)
			);
		return http.build();
	}

	private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
			ReactiveClientRegistrationRepository clientRegistrationRepository) {

		DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
				new DefaultServerOAuth2AuthorizationRequestResolver(
						clientRegistrationRepository);
		authorizationRequestResolver.setAuthorizationRequestCustomizer(
				authorizationRequestCustomizer());

		return  authorizationRequestResolver;
	}

	private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
		return customizer -> customizer
					.additionalParameters((params) -> params.put("prompt", "consent"));
	}
}
@Configuration
@EnableWebFluxSecurity
class SecurityConfig {

    @Autowired
    private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            authorizeExchange {
                authorize(anyExchange, authenticated)
            }
            oauth2Login {
                authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
            }
        }

        return http.build()
    }

    private fun authorizationRequestResolver(
            clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
        val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
                clientRegistrationRepository)
        authorizationRequestResolver.setAuthorizationRequestCustomizer(
                authorizationRequestCustomizer())
        return authorizationRequestResolver
    }

    private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
        return Consumer { customizer ->
            customizer
                .additionalParameters { params -> params["prompt"] = "consent" }
        }
    }
}

對於簡單用例,如果特定提供者的附加請求引數始終相同,則可以直接在 authorization-uri 屬性中新增。

例如,如果提供者 okta 的請求引數 prompt 的值始終是 consent,則只需按如下配置即可

spring:
  security:
    oauth2:
      client:
        provider:
          okta:
            authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent

前面的示例展示了在標準引數之上新增自定義引數的常見用例。或者,如果您的要求更高階,您可以透過簡單地覆蓋 OAuth2AuthorizationRequest.authorizationRequestUri 屬性來完全控制構建授權請求 URI。

OAuth2AuthorizationRequest.Builder.build() 構造 OAuth2AuthorizationRequest.authorizationRequestUri,它表示授權請求 URI,包括所有使用 application/x-www-form-urlencoded 格式的查詢引數。

以下示例顯示了前面示例中 authorizationRequestCustomizer() 的變體,並覆蓋了 OAuth2AuthorizationRequest.authorizationRequestUri 屬性。

  • Java

  • Kotlin

private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
	return customizer -> customizer
			.authorizationRequestUri((uriBuilder) -> uriBuilder
					.queryParam("prompt", "consent").build());
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
    return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
        customizer
                .authorizationRequestUri { uriBuilder: UriBuilder ->
                    uriBuilder
                            .queryParam("prompt", "consent").build()
                }
    }
}

儲存授權請求

ServerAuthorizationRequestRepository 負責從授權請求發起之時到接收授權響應(回撥)之時持久化 OAuth2AuthorizationRequest

OAuth2AuthorizationRequest 用於關聯和驗證授權響應。

ServerAuthorizationRequestRepository 的預設實現是 WebSessionOAuth2ServerAuthorizationRequestRepository,它將 OAuth2AuthorizationRequest 儲存在 WebSession 中。

如果您有 ServerAuthorizationRequestRepository 的自定義實現,您可以按以下示例所示進行配置

ServerAuthorizationRequestRepository 配置

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.oauth2Client((oauth2) -> oauth2
				.authorizationRequestRepository(this.authorizationRequestRepository())
				// ...
			);
		return http.build();
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            oauth2Client {
                authorizationRequestRepository = authorizationRequestRepository()
            }
        }

        return http.build()
    }
}

請求訪問令牌

有關授權碼許可的訪問令牌請求/響應協議流程,請參閱。

授權碼許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實現是 WebClientReactiveAuthorizationCodeTokenResponseClient,它使用 WebClient 在授權伺服器的令牌端點交換授權碼以獲取訪問令牌。

要自定義 WebClientReactiveAuthorizationCodeTokenResponseClient,只需像以下示例一樣提供一個 bean,它將由預設的 ReactiveOAuth2AuthorizedClientManager 自動獲取

訪問令牌響應配置

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
	WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
		new WebClientReactiveAuthorizationCodeTokenResponseClient();
	// ...
	return accessTokenResponseClient;
}
@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Authorization Code> {
	val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
	// ...
	return accessTokenResponseClient
}

WebClientReactiveAuthorizationCodeTokenResponseClient 非常靈活,並提供了多種選項來定製授權碼許可的 OAuth 2.0 訪問令牌請求和響應。從以下用例中選擇以瞭解更多資訊

自定義訪問令牌請求

WebClientReactiveAuthorizationCodeTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭部和請求引數的鉤子。

自定義請求頭部

有兩種自定義 HTTP 頭部的方法

  • 透過呼叫 addHeadersConverter() 新增額外的頭部

  • 透過呼叫 setHeadersConverter() 完全自定義頭部

您可以使用 addHeadersConverter() 新增額外的頭部,而不會影響新增到每個請求的預設頭部。以下示例在 registrationIdspring 時向請求新增 User-Agent 頭部

包含額外的 HTTP 頭部

  • Java

  • Kotlin

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	HttpHeaders headers = new HttpHeaders();
	if (clientRegistration.getRegistrationId().equals("spring")) {
		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
	}
	return headers;
});
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val headers = HttpHeaders()
	if (clientRegistration.getRegistrationId() == "spring") {
        headers[HttpHeaders.USER_AGENT] = "my-user-agent"
	}
	headers
}

您可以透過重新使用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全自定義頭部。以下示例重新使用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼

自定義 HTTP 頭部

  • Java

  • Kotlin

DefaultOAuth2TokenRequestHeadersConverter headersConverter =
	new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);
val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)

val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)

自定義請求引數

有三種自定義請求引數的方法

  • 透過呼叫 addParametersConverter() 新增額外的引數

  • 透過呼叫 setParametersConverter() 覆蓋引數

  • 透過呼叫 setParametersCustomizer() 完全自定義引數

使用 setParametersConverter() 不能完全自定義引數,因為它將要求使用者自己提供所有預設引數。預設引數始終提供,但可以透過呼叫 setParametersCustomizer() 完全自定義或省略。

您可以使用 addParametersConverter() 新增額外的引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationIdkeycloak 時向請求新增 audience 引數

包含額外的請求引數

  • Java

  • Kotlin

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
	if (clientRegistration.getRegistrationId().equals("keycloak")) {
		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "keycloak") {
        parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
	}
	parameters
}

您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationIdokta 時覆蓋 client_id 引數

覆蓋請求引數

  • Java

  • Kotlin

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
	if (clientRegistration.getRegistrationId().equals("okta")) {
		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
    val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "okta") {
        parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
	}
	parameters
}

您可以使用 setParametersCustomizer() 完全自定義引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數

省略請求引數

  • Java

  • Kotlin

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
	}
});
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
	}
}

自定義訪問令牌響應

WebClientReactiveAuthorizationCodeTokenResponseClient 提供了用於自定義 OAuth 2.0 訪問令牌響應的鉤子。

自定義響應引數

您可以透過呼叫 setBodyExtractor() 自定義令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。

以下示例提供了自定義令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點

自定義主體提取器

  • Java

  • Kotlin

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();

BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
	BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
	bodyExtractor.extract(inputMessage, context)
		.map((parameters) -> parameters.withToken("custom-token")
			// ...
			.build()
		)
);
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()

val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
	bodyExtractor.extract(inputMessage, context).map { parameters ->
		OAuth2AccessTokenResponse.withToken("custom-token")
			// ...
			.build()
	}
}

在提供自定義 BodyExtractor 時,您需要根據響應引數負責檢測並將 OAuth 2.0 錯誤響應轉換為帶有 OAuth2ErrorMono.error()

自定義 WebClient

或者,如果您的要求更高階,您可以透過向 setWebClient() 提供預配置的 WebClient 來完全控制請求和/或響應,如以下示例所示

自定義 WebClient

  • Java

  • Kotlin

WebClient webClient = WebClient.builder()
	// ...
	.build();

WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);
val webClient = WebClient.builder()
	// ...
	.build()

val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)

使用 DSL 進行自定義

無論您是自定義 WebClientReactiveAuthorizationCodeTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 DSL 配置它(作為釋出 bean 的替代方法),如以下示例所示

透過 DSL 配置訪問令牌響應

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.oauth2Client((oauth2) -> oauth2
				.authenticationManager(this.authorizationCodeAuthenticationManager())
				// ...
			);
		return http.build();
	}

	private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
		WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
				new WebClientReactiveAuthorizationCodeTokenResponseClient();
		// ...

		return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            oauth2Client {
                authenticationManager = authorizationCodeAuthenticationManager()
            }
        }

        return http.build()
    }

    private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
        val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
        // ...

        return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
    }
}

重新整理令牌

有關重新整理令牌的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

重新整理訪問令牌

有關重新整理令牌許可的訪問令牌請求/響應協議流程,請參閱。

重新整理令牌許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實現是 WebClientReactiveRefreshTokenTokenResponseClient,它在授權伺服器的令牌端點重新整理訪問令牌時使用 WebClient

要自定義 WebClientReactiveRefreshTokenTokenResponseClient,只需像以下示例一樣提供一個 bean,它將由預設的 ReactiveOAuth2AuthorizedClientManager 自動獲取

訪問令牌響應配置

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient() {
	WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
		new WebClientReactiveRefreshTokenTokenResponseClient();
	// ...
	return accessTokenResponseClient;
}
@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Refresh Token> {
	val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
	// ...
	return accessTokenResponseClient
}

WebClientReactiveRefreshTokenTokenResponseClient 非常靈活,並提供了多種選項來定製重新整理令牌許可的 OAuth 2.0 訪問令牌請求和響應。從以下用例中選擇以瞭解更多資訊

自定義訪問令牌請求

WebClientReactiveRefreshTokenTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭部和請求引數的鉤子。

自定義請求頭部

有兩種自定義 HTTP 頭部的方法

  • 透過呼叫 addHeadersConverter() 新增額外的頭部

  • 透過呼叫 setHeadersConverter() 完全自定義頭部

您可以使用 addHeadersConverter() 新增額外的頭部,而不會影響新增到每個請求的預設頭部。以下示例在 registrationIdspring 時向請求新增 User-Agent 頭部

包含額外的 HTTP 頭部

  • Java

  • Kotlin

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	HttpHeaders headers = new HttpHeaders();
	if (clientRegistration.getRegistrationId().equals("spring")) {
		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
	}
	return headers;
});
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val headers = HttpHeaders()
	if (clientRegistration.getRegistrationId() == "spring") {
        headers[HttpHeaders.USER_AGENT] = "my-user-agent"
	}
	headers
}

您可以透過重新使用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全自定義頭部。以下示例重新使用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼

自定義 HTTP 頭部

  • Java

  • Kotlin

DefaultOAuth2TokenRequestHeadersConverter headersConverter =
	new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);
val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)

val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)

自定義請求引數

有三種自定義請求引數的方法

  • 透過呼叫 addParametersConverter() 新增額外的引數

  • 透過呼叫 setParametersConverter() 覆蓋引數

  • 透過呼叫 setParametersCustomizer() 完全自定義引數

使用 setParametersConverter() 不能完全自定義引數,因為它將要求使用者自己提供所有預設引數。預設引數始終提供,但可以透過呼叫 setParametersCustomizer() 完全自定義或省略。

您可以使用 addParametersConverter() 新增額外的引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationIdkeycloak 時向請求新增 audience 引數

包含額外的請求引數

  • Java

  • Kotlin

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
	if (clientRegistration.getRegistrationId().equals("keycloak")) {
		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "keycloak") {
        parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
	}
	parameters
}

您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationIdokta 時覆蓋 client_id 引數

覆蓋請求引數

  • Java

  • Kotlin

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
	if (clientRegistration.getRegistrationId().equals("okta")) {
		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
    val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "okta") {
        parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
	}
	parameters
}

您可以使用 setParametersCustomizer() 完全自定義引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數

省略請求引數

  • Java

  • Kotlin

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
	}
});
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
	}
}

自定義訪問令牌響應

WebClientReactiveRefreshTokenTokenResponseClient 提供了用於自定義 OAuth 2.0 訪問令牌響應的鉤子。

自定義響應引數

您可以透過呼叫 setBodyExtractor() 自定義令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。

以下示例提供了自定義令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點

自定義主體提取器

  • Java

  • Kotlin

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();

BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
	BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
	bodyExtractor.extract(inputMessage, context)
		.map((parameters) -> parameters.withToken("custom-token")
			// ...
			.build()
		)
);
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()

val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
	bodyExtractor.extract(inputMessage, context).map { parameters ->
		OAuth2AccessTokenResponse.withToken("custom-token")
			// ...
			.build()
	}
}

在提供自定義 BodyExtractor 時,您需要根據響應引數負責檢測並將 OAuth 2.0 錯誤響應轉換為帶有 OAuth2ErrorMono.error()

自定義 WebClient

或者,如果您的要求更高階,您可以透過向 setWebClient() 提供預配置的 WebClient 來完全控制請求和/或響應,如以下示例所示

自定義 WebClient

  • Java

  • Kotlin

WebClient webClient = WebClient.builder()
	// ...
	.build();

WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);
val webClient = WebClient.builder()
	// ...
	.build()

val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)

使用構建器自定義

無論您是自定義 WebClientReactiveRefreshTokenTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder 配置它(作為釋出 bean 的替代方法),如下所示

透過構建器配置訪問令牌響應

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.authorizationCode()
				.refreshToken((configurer) -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
				.build();

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...

val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .authorizationCode()
        .refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
        .build()

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

ReactiveOAuth2AuthorizedClientProviderBuilder.builder().refreshToken() 配置 RefreshTokenReactiveOAuth2AuthorizedClientProvider,它是重新整理令牌許可的 ReactiveOAuth2AuthorizedClientProvider 實現。

OAuth2RefreshToken 可選地在 authorization_code 許可型別的訪問令牌響應中返回。如果 OAuth2AuthorizedClient.getRefreshToken() 可用且 OAuth2AuthorizedClient.getAccessToken() 已過期,它將由 RefreshTokenReactiveOAuth2AuthorizedClientProvider 自動重新整理。

客戶端憑據

有關客戶端憑據許可的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

請求訪問令牌

有關客戶端憑據許可的訪問令牌請求/響應協議流程,請參閱。

客戶端憑據許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實現是 WebClientReactiveClientCredentialsTokenResponseClient,它在授權伺服器的令牌端點請求訪問令牌時使用 WebClient

要自定義 WebClientReactiveClientCredentialsTokenResponseClient,只需像以下示例一樣提供一個 bean,它將由預設的 ReactiveOAuth2AuthorizedClientManager 自動獲取

訪問令牌響應配置

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient() {
	WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
		new WebClientReactiveClientCredentialsTokenResponseClient();
	// ...
	return accessTokenResponseClient;
}
@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Client Credentials> {
	val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
	// ...
	return accessTokenResponseClient
}

WebClientReactiveClientCredentialsTokenResponseClient 非常靈活,並提供了多種選項來定製客戶端憑據許可的 OAuth 2.0 訪問令牌請求和響應。從以下用例中選擇以瞭解更多資訊

自定義訪問令牌請求

WebClientReactiveClientCredentialsTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭部和請求引數的鉤子。

自定義請求頭部

有兩種自定義 HTTP 頭部的方法

  • 透過呼叫 addHeadersConverter() 新增額外的頭部

  • 透過呼叫 setHeadersConverter() 完全自定義頭部

您可以使用 addHeadersConverter() 新增額外的頭部,而不會影響新增到每個請求的預設頭部。以下示例在 registrationIdspring 時向請求新增 User-Agent 頭部

包含額外的 HTTP 頭部

  • Java

  • Kotlin

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	HttpHeaders headers = new HttpHeaders();
	if (clientRegistration.getRegistrationId().equals("spring")) {
		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
	}
	return headers;
});
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val headers = HttpHeaders()
	if (clientRegistration.getRegistrationId() == "spring") {
        headers[HttpHeaders.USER_AGENT] = "my-user-agent"
	}
	headers
}

您可以透過重新使用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全自定義頭部。以下示例重新使用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼

自定義 HTTP 頭部

  • Java

  • Kotlin

DefaultOAuth2TokenRequestHeadersConverter headersConverter =
	new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);
val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)

val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)

自定義請求引數

有三種自定義請求引數的方法

  • 透過呼叫 addParametersConverter() 新增額外的引數

  • 透過呼叫 setParametersConverter() 覆蓋引數

  • 透過呼叫 setParametersCustomizer() 完全自定義引數

使用 setParametersConverter() 不能完全自定義引數,因為它將要求使用者自己提供所有預設引數。預設引數始終提供,但可以透過呼叫 setParametersCustomizer() 完全自定義或省略。

您可以使用 addParametersConverter() 新增額外的引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationIdkeycloak 時向請求新增 audience 引數

包含額外的請求引數

  • Java

  • Kotlin

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
	if (clientRegistration.getRegistrationId().equals("keycloak")) {
		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "keycloak") {
        parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
	}
	parameters
}

您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationIdokta 時覆蓋 client_id 引數

覆蓋請求引數

  • Java

  • Kotlin

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
	if (clientRegistration.getRegistrationId().equals("okta")) {
		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
    val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "okta") {
        parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
	}
	parameters
}

您可以使用 setParametersCustomizer() 完全自定義引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數

省略請求引數

  • Java

  • Kotlin

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
	}
});
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
	}
}

自定義訪問令牌響應

WebClientReactiveClientCredentialsTokenResponseClient 提供了用於自定義 OAuth 2.0 訪問令牌響應的鉤子。

自定義響應引數

您可以透過呼叫 setBodyExtractor() 自定義令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。

以下示例提供了自定義令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點

自定義主體提取器

  • Java

  • Kotlin

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();

BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
	BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
	bodyExtractor.extract(inputMessage, context)
		.map((parameters) -> parameters.withToken("custom-token")
			// ...
			.build()
		)
);
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()

val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
	bodyExtractor.extract(inputMessage, context).map { parameters ->
		OAuth2AccessTokenResponse.withToken("custom-token")
			// ...
			.build()
	}
}

在提供自定義 BodyExtractor 時,您需要根據響應引數負責檢測並將 OAuth 2.0 錯誤響應轉換為帶有 OAuth2ErrorMono.error()

自定義 WebClient

或者,如果您的要求更高階,您可以透過向 setWebClient() 提供預配置的 WebClient 來完全控制請求和/或響應,如以下示例所示

自定義 WebClient

  • Java

  • Kotlin

WebClient webClient = WebClient.builder()
	// ...
	.build();

WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);
val webClient = WebClient.builder()
	// ...
	.build()

val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)

使用構建器自定義

無論您是自定義 WebClientReactiveClientCredentialsTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder 配置它(作為釋出 bean 的替代方法),如下所示

透過構建器配置訪問令牌響應

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.clientCredentials((configurer) -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
				.build();

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...

val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
        .build()

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

ReactiveOAuth2AuthorizedClientProviderBuilder.builder().clientCredentials() 配置 ClientCredentialsReactiveOAuth2AuthorizedClientProvider,它是客戶端憑據許可的 ReactiveOAuth2AuthorizedClientProvider 實現。

使用訪問令牌

給定以下 OAuth 2.0 客戶端註冊的 Spring Boot 屬性

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: client_credentials
            scope: read, write
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 ReactiveOAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.clientCredentials()
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

您可以按如下方式獲取 OAuth2AccessToken

  • Java

  • Kotlin

@Controller
public class OAuth2ClientController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/")
	public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(authentication)
				.attribute(ServerWebExchange.class.getName(), exchange)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				// ...
				.thenReturn("index");
	}
}
class OAuth2ClientController {

    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/")
    fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(authentication)
                .attribute(ServerWebExchange::class.java.name, exchange)
                .build()

        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                // ...
                .thenReturn("index")
    }
}

ServerWebExchange 是一個可選屬性。如果未提供,它將透過鍵 ServerWebExchange.classReactor 的上下文中獲取。

JWT 持有者

有關JWT 持有者許可的更多詳細資訊,請參閱 OAuth 2.0 客戶端認證和授權許可的 JSON Web Token (JWT) 配置檔案。

請求訪問令牌

有關 JWT 持有者許可的訪問令牌請求/響應協議流程,請參閱。

JWT 持有者許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實現是 WebClientReactiveJwtBearerTokenResponseClient,它在授權伺服器的令牌端點請求訪問令牌時使用 WebClient

要自定義 WebClientReactiveJwtBearerTokenResponseClient,只需像以下示例一樣提供一個 bean,它將由預設的 ReactiveOAuth2AuthorizedClientManager 自動獲取

訪問令牌響應配置

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient() {
	WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
		new WebClientReactiveJwtBearerTokenResponseClient();
	// ...
	return accessTokenResponseClient;
}
@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<JWT Bearer> {
	val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
	// ...
	return accessTokenResponseClient
}

WebClientReactiveJwtBearerTokenResponseClient 非常靈活,並提供了多種選項來定製 JWT 持有者許可的 OAuth 2.0 訪問令牌請求和響應。從以下用例中選擇以瞭解更多資訊

自定義訪問令牌請求

WebClientReactiveJwtBearerTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭部和請求引數的鉤子。

自定義請求頭部

有兩種自定義 HTTP 頭部的方法

  • 透過呼叫 addHeadersConverter() 新增額外的頭部

  • 透過呼叫 setHeadersConverter() 完全自定義頭部

您可以使用 addHeadersConverter() 新增額外的頭部,而不會影響新增到每個請求的預設頭部。以下示例在 registrationIdspring 時向請求新增 User-Agent 頭部

包含額外的 HTTP 頭部

  • Java

  • Kotlin

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	HttpHeaders headers = new HttpHeaders();
	if (clientRegistration.getRegistrationId().equals("spring")) {
		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
	}
	return headers;
});
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val headers = HttpHeaders()
	if (clientRegistration.getRegistrationId() == "spring") {
        headers[HttpHeaders.USER_AGENT] = "my-user-agent"
	}
	headers
}

您可以透過重新使用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全自定義頭部。以下示例重新使用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼

自定義 HTTP 頭部

  • Java

  • Kotlin

DefaultOAuth2TokenRequestHeadersConverter headersConverter =
	new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);
val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)

val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)

自定義請求引數

有三種自定義請求引數的方法

  • 透過呼叫 addParametersConverter() 新增額外的引數

  • 透過呼叫 setParametersConverter() 覆蓋引數

  • 透過呼叫 setParametersCustomizer() 完全自定義引數

使用 setParametersConverter() 不能完全自定義引數,因為它將要求使用者自己提供所有預設引數。預設引數始終提供,但可以透過呼叫 setParametersCustomizer() 完全自定義或省略。

您可以使用 addParametersConverter() 新增額外的引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationIdkeycloak 時向請求新增 audience 引數

包含額外的請求引數

  • Java

  • Kotlin

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
	if (clientRegistration.getRegistrationId().equals("keycloak")) {
		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "keycloak") {
        parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
	}
	parameters
}

您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationIdokta 時覆蓋 client_id 引數

覆蓋請求引數

  • Java

  • Kotlin

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
	if (clientRegistration.getRegistrationId().equals("okta")) {
		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
    val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "okta") {
        parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
	}
	parameters
}

您可以使用 setParametersCustomizer() 完全自定義引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數

省略請求引數

  • Java

  • Kotlin

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
	}
});
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
	}
}

自定義訪問令牌響應

WebClientReactiveJwtBearerTokenResponseClient 提供了用於自定義 OAuth 2.0 訪問令牌響應的鉤子。

自定義響應引數

您可以透過呼叫 setBodyExtractor() 自定義令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。

以下示例提供了自定義令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點

自定義主體提取器

  • Java

  • Kotlin

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();

BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
	BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
	bodyExtractor.extract(inputMessage, context)
		.map((parameters) -> parameters.withToken("custom-token")
			// ...
			.build()
		)
);
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()

val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
	bodyExtractor.extract(inputMessage, context).map { parameters ->
		OAuth2AccessTokenResponse.withToken("custom-token")
			// ...
			.build()
	}
}

在提供自定義 BodyExtractor 時,您需要根據響應引數負責檢測並將 OAuth 2.0 錯誤響應轉換為帶有 OAuth2ErrorMono.error()

自定義 WebClient

或者,如果您的要求更高階,您可以透過向 setWebClient() 提供預配置的 WebClient 來完全控制請求和/或響應,如以下示例所示

自定義 WebClient

  • Java

  • Kotlin

WebClient webClient = WebClient.builder()
	// ...
	.build();

WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);
val webClient = WebClient.builder()
	// ...
	.build()

val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)

使用構建器自定義

無論您是自定義 WebClientReactiveJwtBearerTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder 配置它(作為釋出 bean 的替代方法),如下所示

透過構建器配置訪問令牌響應

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...

JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.provider(jwtBearerAuthorizedClientProvider)
				.build();

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...

val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)

val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .provider(jwtBearerAuthorizedClientProvider)
        .build()

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

使用訪問令牌

給定以下 OAuth 2.0 客戶端註冊的 Spring Boot 屬性

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
            scope: read
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 OAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
			new JwtBearerReactiveOAuth2AuthorizedClientProvider();

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.provider(jwtBearerAuthorizedClientProvider)
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
    val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .provider(jwtBearerAuthorizedClientProvider)
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

您可以按如下方式獲取 OAuth2AccessToken

  • Java

  • Kotlin

@RestController
public class OAuth2ResourceServerController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/resource")
	public Mono<String> resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(jwtAuthentication)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				// ...
				.thenReturn("index");
	}
}
class OAuth2ResourceServerController {

    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/resource")
    fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(jwtAuthentication)
                .build()
        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                // ...
                .thenReturn("index")
    }
}

JwtBearerReactiveOAuth2AuthorizedClientProvider 預設透過 OAuth2AuthorizationContext.getPrincipal().getPrincipal() 解析 Jwt 斷言,因此在前面的示例中使用了 JwtAuthenticationToken

如果您需要從其他來源解析 Jwt 斷言,您可以為 JwtBearerReactiveOAuth2AuthorizedClientProvider.setJwtAssertionResolver() 提供自定義的 Function<OAuth2AuthorizationContext, Mono<Jwt>>

令牌交換

有關令牌交換許可的更多詳細資訊,請參閱 OAuth 2.0 令牌交換。

請求訪問令牌

有關令牌交換許可的令牌交換請求和響應協議流程,請參閱。

令牌交換許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實現是 WebClientReactiveTokenExchangeTokenResponseClient,它在授權伺服器的令牌端點請求訪問令牌時使用 WebClient

要自定義 WebClientReactiveTokenExchangeTokenResponseClient,只需像以下示例一樣提供一個 bean,它將由預設的 ReactiveOAuth2AuthorizedClientManager 自動獲取

訪問令牌響應配置

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient() {
	WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
		new WebClientReactiveTokenExchangeTokenResponseClient();
	// ...
	return accessTokenResponseClient;
}
@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Token Exchange> {
	val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
	// ...
	return accessTokenResponseClient
}

WebClientReactiveTokenExchangeTokenResponseClient 非常靈活,並提供了多種選項來定製令牌交換許可的 OAuth 2.0 訪問令牌請求和響應。從以下用例中選擇以瞭解更多資訊

自定義訪問令牌請求

WebClientReactiveTokenExchangeTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭部和請求引數的鉤子。

自定義請求頭部

有兩種自定義 HTTP 頭部的方法

  • 透過呼叫 addHeadersConverter() 新增額外的頭部

  • 透過呼叫 setHeadersConverter() 完全自定義頭部

您可以使用 addHeadersConverter() 新增額外的頭部,而不會影響新增到每個請求的預設頭部。以下示例在 registrationIdspring 時向請求新增 User-Agent 頭部

包含額外的 HTTP 頭部

  • Java

  • Kotlin

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	HttpHeaders headers = new HttpHeaders();
	if (clientRegistration.getRegistrationId().equals("spring")) {
		headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
	}
	return headers;
});
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val headers = HttpHeaders()
	if (clientRegistration.getRegistrationId() == "spring") {
        headers[HttpHeaders.USER_AGENT] = "my-user-agent"
	}
	headers
}

您可以透過重新使用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全自定義頭部。以下示例重新使用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼

自定義 HTTP 頭部

  • Java

  • Kotlin

DefaultOAuth2TokenRequestHeadersConverter headersConverter =
	new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);
val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)

val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)

自定義請求引數

有三種自定義請求引數的方法

  • 透過呼叫 addParametersConverter() 新增額外的引數

  • 透過呼叫 setParametersConverter() 覆蓋引數

  • 透過呼叫 setParametersCustomizer() 完全自定義引數

使用 setParametersConverter() 不能完全自定義引數,因為它將要求使用者自己提供所有預設引數。預設引數始終提供,但可以透過呼叫 setParametersCustomizer() 完全自定義或省略。

您可以使用 addParametersConverter() 新增額外的引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationIdkeycloak 時向請求新增 audience 引數

包含額外的請求引數

  • Java

  • Kotlin

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
	if (clientRegistration.getRegistrationId().equals("keycloak")) {
		parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
	val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "keycloak") {
        parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
	}
	parameters
}

您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationIdokta 時覆蓋 client_id 引數

覆蓋請求引數

  • Java

  • Kotlin

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
	ClientRegistration clientRegistration = grantRequest.getClientRegistration();
	LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
	if (clientRegistration.getRegistrationId().equals("okta")) {
		parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
	}
	return parameters;
});
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
    val clientRegistration = grantRequest.getClientRegistration()
	val parameters = LinkedMultiValueMap<String, String>()
	if (clientRegistration.getRegistrationId() == "okta") {
        parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
	}
	parameters
}

您可以使用 setParametersCustomizer() 完全自定義引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數

省略請求引數

  • Java

  • Kotlin

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID);
	}
});
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
	if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
		parameters.remove(OAuth2ParameterNames.CLIENT_ID)
	}
}

自定義訪問令牌響應

WebClientReactiveTokenExchangeTokenResponseClient 提供了用於自定義 OAuth 2.0 訪問令牌響應的鉤子。

自定義響應引數

您可以透過呼叫 setBodyExtractor() 自定義令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。

以下示例提供了自定義令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點

自定義主體提取器

  • Java

  • Kotlin

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();

BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
	BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
	bodyExtractor.extract(inputMessage, context)
		.map((parameters) -> parameters.withToken("custom-token")
			// ...
			.build()
		)
);
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()

val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
	bodyExtractor.extract(inputMessage, context).map { parameters ->
		OAuth2AccessTokenResponse.withToken("custom-token")
			// ...
			.build()
	}
}

在提供自定義 BodyExtractor 時,您需要根據響應引數負責檢測並將 OAuth 2.0 錯誤響應轉換為帶有 OAuth2ErrorMono.error()

自定義 WebClient

或者,如果您的要求更高階,您可以透過向 setWebClient() 提供預配置的 WebClient 來完全控制請求和/或響應,如以下示例所示

自定義 WebClient

  • Java

  • Kotlin

WebClient webClient = WebClient.builder()
	// ...
	.build();

WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
	new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);
val webClient = WebClient.builder()
	// ...
	.build()

val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)

使用構建器自定義

無論您是自定義 WebClientReactiveTokenExchangeTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder 配置它(作為釋出 bean 的替代方法),如下所示

透過構建器配置訪問令牌響應

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...

TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.provider(tokenExchangeAuthorizedClientProvider)
				.build();

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val tokenExchangeTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...

val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)

val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .provider(tokenExchangeAuthorizedClientProvider)
        .build()

// ...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

使用訪問令牌

給定以下 OAuth 2.0 客戶端註冊的 Spring Boot 屬性

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
            scope: read
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 OAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
			new TokenExchangeReactiveOAuth2AuthorizedClientProvider();

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.provider(tokenExchangeAuthorizedClientProvider)
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
    val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .provider(tokenExchangeAuthorizedClientProvider)
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

您可以按如下方式獲取 OAuth2AccessToken

  • Java

  • Kotlin

@RestController
public class OAuth2ResourceServerController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/resource")
	public Mono<String> resource(JwtAuthenticationToken jwtAuthentication) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(jwtAuthentication)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				// ...
				.thenReturn("index");
	}
}
class OAuth2ResourceServerController {

    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/resource")
    fun resource(jwtAuthentication: JwtAuthenticationToken): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(jwtAuthentication)
                .build()
        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                // ...
                .thenReturn("index")
    }
}

TokenExchangeReactiveOAuth2AuthorizedClientProvider 預設透過 OAuth2AuthorizationContext.getPrincipal().getPrincipal() 解析主體令牌(作為 OAuth2Token),因此在前面的示例中使用了 JwtAuthenticationToken。預設情況下不解析參與者令牌。

如果您需要從其他來源解析主體令牌,您可以為 TokenExchangeReactiveOAuth2AuthorizedClientProvider.setSubjectTokenResolver() 提供自定義的 Function<OAuth2AuthorizationContext, Mono<OAuth2Token>>

如果您需要解析參與者令牌,您可以為 TokenExchangeReactiveOAuth2AuthorizedClientProvider.setActorTokenResolver() 提供自定義的 Function<OAuth2AuthorizationContext, Mono<OAuth2Token>>
© . This site is unofficial and not affiliated with VMware.