授權許可型別支援
本節介紹 Spring Security 對授權許可型別的支援。
授權碼
|
有關 授權碼 許可型別的更多詳細資訊,請參閱 OAuth 2.0 授權框架。 |
獲取授權
|
有關授權碼許可型別的授權請求/響應協議流程,請參閱 OAuth 2.0 授權框架。 |
發起授權請求
OAuth2AuthorizationRequestRedirectWebFilter 使用 ServerOAuth2AuthorizationRequestResolver 解析 OAuth2AuthorizationRequest,並透過將終端使用者的使用者代理重定向到授權伺服器的授權端點來發起授權碼許可流程。
ServerOAuth2AuthorizationRequestResolver 的主要作用是從提供的 Web 請求中解析 OAuth2AuthorizationRequest。預設實現 DefaultServerOAuth2AuthorizationRequestResolver 匹配(預設)路徑 /oauth2/authorization/{registrationId},提取 registrationId 並用它來構建關聯 ClientRegistration 的 OAuth2AuthorizationRequest。
假設有以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token基本路徑為 /oauth2/authorization/okta 的請求將由 OAuth2AuthorizationRequestRedirectWebFilter 發起授權請求重定向,並最終啟動授權碼許可流程。
|
|
如果 OAuth 2.0 客戶端是公共客戶端,則按如下方式配置 OAuth 2.0 客戶端註冊:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
# ...公共客戶端透過 程式碼交換證明金鑰 (PKCE) 得到支援。如果客戶端執行在不受信任的環境中(例如,原生應用程式或基於 Web 瀏覽器的應用程式),因此無法維護其憑據的機密性,則在滿足以下條件時將自動使用 PKCE:
-
client-secret被省略(或為空) -
client-authentication-method設定為 "none" (ClientAuthenticationMethod.NONE)
|
如果 OAuth 2.0 提供者支援針對機密客戶端的 PKCE,您可以(可選地)使用 |
以下配置使用了所有支援的 URI 模板變數
spring:
security:
oauth2:
client:
registration:
okta:
# ...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
# ...|
|
使用 URI 模板變數配置 redirect-uri 在 OAuth 2.0 客戶端執行在代理伺服器後面時特別有用。這確保在擴充套件 redirect-uri 時使用 X-Forwarded-* 頭。
定製授權請求
ServerOAuth2AuthorizationRequestResolver 可以實現的主要用例之一是能夠透過 OAuth 2.0 授權框架中定義的標準引數之外的額外引數來定製授權請求。
例如,OpenID Connect 為授權碼流程定義了額外的 OAuth 2.0 請求引數,這些引數擴充套件了OAuth 2.0 授權框架中定義的標準引數。其中一個擴充套件引數是 prompt 引數。
|
|
以下示例展示瞭如何使用 Consumer<OAuth2AuthorizationRequest.Builder> 配置 DefaultServerOAuth2AuthorizationRequestResolver,透過包含請求引數 prompt=consent 來定製 oauth2Login() 的授權請求。
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorize -> authorize
.anyExchange().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
ReactiveClientRegistrationRepository clientRegistrationRepository) {
DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository);
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters(params -> params.put("prompt", "consent"));
}
}@Configuration
@EnableWebFluxSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
return http.build()
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository)
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}對於簡單用例,如果額外請求引數對於特定提供者始終相同,可以直接在 authorization-uri 屬性中新增它。
例如,如果提供者 okta 的請求引數 prompt 的值始終是 consent,則只需按如下方式配置:
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent前面的示例展示了在標準引數之上新增自定義引數的常見用例。或者,如果您的要求更高階,您可以透過簡單地覆蓋 OAuth2AuthorizationRequest.authorizationRequestUri 屬性來完全控制構建授權請求 URI。
|
|
以下示例展示了前例中 authorizationRequestCustomizer() 的一種變體,它轉而覆蓋了 OAuth2AuthorizationRequest.authorizationRequestUri 屬性。
-
Java
-
Kotlin
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri(uriBuilder -> uriBuilder
.queryParam("prompt", "consent").build());
}private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}儲存授權請求
ServerAuthorizationRequestRepository 負責從發起授權請求到接收授權響應(回撥)這段時間內 OAuth2AuthorizationRequest 的持久化。
|
|
ServerAuthorizationRequestRepository 的預設實現是 WebSessionOAuth2ServerAuthorizationRequestRepository,它將 OAuth2AuthorizationRequest 儲存在 WebSession 中。
如果您有自定義的 ServerAuthorizationRequestRepository 實現,可以按以下示例進行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
);
return http.build();
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authorizationRequestRepository = authorizationRequestRepository()
}
}
return http.build()
}
}請求訪問令牌
|
有關授權碼許可型別的訪問令牌請求/響應協議流程,請參閱 OAuth 2.0 授權框架。 |
針對授權碼許可型別的 ReactiveOAuth2AccessTokenResponseClient 預設實現是 WebClientReactiveAuthorizationCodeTokenResponseClient,它使用 WebClient 在授權伺服器的令牌端點交換授權碼以獲取訪問令牌。
要定製 WebClientReactiveAuthorizationCodeTokenResponseClient,只需按以下示例提供一個 bean,預設的 ReactiveOAuth2AuthorizedClientManager 將自動拾取它。
WebClientReactiveAuthorizationCodeTokenResponseClient 非常靈活,併為定製授權碼許可型別的 OAuth 2.0 訪問令牌請求和響應提供了多種選項。選擇以下用例以瞭解更多資訊:
定製訪問令牌請求
WebClientReactiveAuthorizationCodeTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭和請求引數的鉤子。
定製請求頭
定製 HTTP 頭有兩種選項:
-
透過呼叫
addHeadersConverter()新增額外的頭 -
透過呼叫
setHeadersConverter()完全定製頭
您可以使用 addHeadersConverter() 新增額外的頭,而不會影響新增到每個請求的預設頭。以下示例在 registrationId 為 spring 時向請求新增一個 User-Agent 頭。
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以透過複用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全定製頭。以下示例複用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼。
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)定製請求引數
定製請求引數有三種選項:
-
透過呼叫
addParametersConverter()新增額外引數 -
透過呼叫
setParametersConverter()覆蓋引數 -
透過呼叫
setParametersCustomizer()完全定製引數
|
使用 |
您可以使用 addParametersConverter() 包含額外引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationId 為 keycloak 時向請求新增一個 audience 引數。
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationId 為 okta 時覆蓋 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全定製引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}定製訪問令牌響應
WebClientReactiveAuthorizationCodeTokenResponseClient 提供了用於定製 OAuth 2.0 訪問令牌響應的鉤子。
定製響應引數
您可以透過呼叫 setBodyExtractor() 定製令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。
以下示例提供了定製令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點。
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
提供自定義 |
定製 WebClient
或者,如果您的要求更高階,您可以透過向 setWebClient() 提供一個預配置的 WebClient 來完全控制請求和/或響應,如下例所示。
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 DSL 定製
無論您是定製 WebClientReactiveAuthorizationCodeTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 DSL(作為釋出 bean 的替代方法)進行配置,如下例所示。
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authenticationManager(this.authorizationCodeAuthenticationManager())
// ...
);
return http.build();
}
private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
// ...
return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authenticationManager = authorizationCodeAuthenticationManager()
}
}
return http.build()
}
private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
// ...
return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
}
}重新整理令牌
|
有關重新整理令牌的更多詳細資訊,請參閱 OAuth 2.0 授權框架。 |
重新整理訪問令牌
|
有關重新整理令牌許可型別的訪問令牌請求/響應協議流程,請參閱 OAuth 2.0 授權框架。 |
針對重新整理令牌許可型別的 ReactiveOAuth2AccessTokenResponseClient 預設實現是 WebClientReactiveRefreshTokenTokenResponseClient,它在授權伺服器的令牌端點重新整理訪問令牌時使用 WebClient。
要定製 WebClientReactiveRefreshTokenTokenResponseClient,只需按以下示例提供一個 bean,預設的 ReactiveOAuth2AuthorizedClientManager 將自動拾取它。
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient() {
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Refresh Token> {
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveRefreshTokenTokenResponseClient 非常靈活,併為定製重新整理令牌許可型別的 OAuth 2.0 訪問令牌請求和響應提供了多種選項。選擇以下用例以瞭解更多資訊:
定製訪問令牌請求
WebClientReactiveRefreshTokenTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭和請求引數的鉤子。
定製請求頭
定製 HTTP 頭有兩種選項:
-
透過呼叫
addHeadersConverter()新增額外的頭 -
透過呼叫
setHeadersConverter()完全定製頭
您可以使用 addHeadersConverter() 新增額外的頭,而不會影響新增到每個請求的預設頭。以下示例在 registrationId 為 spring 時向請求新增一個 User-Agent 頭。
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以透過複用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全定製頭。以下示例複用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼。
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)定製請求引數
定製請求引數有三種選項:
-
透過呼叫
addParametersConverter()新增額外引數 -
透過呼叫
setParametersConverter()覆蓋引數 -
透過呼叫
setParametersCustomizer()完全定製引數
|
使用 |
您可以使用 addParametersConverter() 包含額外引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationId 為 keycloak 時向請求新增一個 audience 引數。
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationId 為 okta 時覆蓋 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全定製引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}定製訪問令牌響應
WebClientReactiveRefreshTokenTokenResponseClient 提供了用於定製 OAuth 2.0 訪問令牌響應的鉤子。
定製響應引數
您可以透過呼叫 setBodyExtractor() 定製令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。
以下示例提供了定製令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點。
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
提供自定義 |
定製 WebClient
或者,如果您的要求更高階,您可以透過向 setWebClient() 提供一個預配置的 WebClient 來完全控制請求和/或響應,如下例所示。
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 定製
無論您是定製 WebClientReactiveRefreshTokenTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder(作為釋出 bean 的替代方法)進行配置,如下所示。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken(configurer -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
對於 authorization_code 和 password 許可型別,OAuth2RefreshToken 可能會在訪問令牌響應中可選地返回。如果 OAuth2AuthorizedClient.getRefreshToken() 可用且 OAuth2AuthorizedClient.getAccessToken() 已過期,它將由 RefreshTokenReactiveOAuth2AuthorizedClientProvider 自動重新整理。
客戶端憑據
|
有關客戶端憑據許可型別的更多詳細資訊,請參閱 OAuth 2.0 授權框架。 |
請求訪問令牌
|
有關客戶端憑據許可型別的訪問令牌請求/響應協議流程,請參閱 OAuth 2.0 授權框架。 |
針對客戶端憑據許可型別的 ReactiveOAuth2AccessTokenResponseClient 預設實現是 WebClientReactiveClientCredentialsTokenResponseClient,它在授權伺服器的令牌端點請求訪問令牌時使用 WebClient。
要定製 WebClientReactiveClientCredentialsTokenResponseClient,只需按以下示例提供一個 bean,預設的 ReactiveOAuth2AuthorizedClientManager 將自動拾取它。
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient() {
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Client Credentials> {
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveClientCredentialsTokenResponseClient 非常靈活,併為定製客戶端憑據許可型別的 OAuth 2.0 訪問令牌請求和響應提供了多種選項。選擇以下用例以瞭解更多資訊:
定製訪問令牌請求
WebClientReactiveClientCredentialsTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭和請求引數的鉤子。
定製請求頭
定製 HTTP 頭有兩種選項:
-
透過呼叫
addHeadersConverter()新增額外的頭 -
透過呼叫
setHeadersConverter()完全定製頭
您可以使用 addHeadersConverter() 新增額外的頭,而不會影響新增到每個請求的預設頭。以下示例在 registrationId 為 spring 時向請求新增一個 User-Agent 頭。
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以透過複用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全定製頭。以下示例複用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼。
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)定製請求引數
定製請求引數有三種選項:
-
透過呼叫
addParametersConverter()新增額外引數 -
透過呼叫
setParametersConverter()覆蓋引數 -
透過呼叫
setParametersCustomizer()完全定製引數
|
使用 |
您可以使用 addParametersConverter() 包含額外引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationId 為 keycloak 時向請求新增一個 audience 引數。
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationId 為 okta 時覆蓋 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全定製引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}定製訪問令牌響應
WebClientReactiveClientCredentialsTokenResponseClient 提供了用於定製 OAuth 2.0 訪問令牌響應的鉤子。
定製響應引數
您可以透過呼叫 setBodyExtractor() 定製令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。
以下示例提供了定製令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點。
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
提供自定義 |
定製 WebClient
或者,如果您的要求更高階,您可以透過向 setWebClient() 提供一個預配置的 WebClient 來完全控制請求和/或響應,如下例所示。
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 定製
無論您是定製 WebClientReactiveClientCredentialsTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder(作為釋出 bean 的替代方法)進行配置,如下所示。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用訪問令牌
假設有以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token...以及 ReactiveOAuth2AuthorizedClientManager 的 @Bean
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式獲取 OAuth2AccessToken
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
資源所有者密碼憑據
|
有關資源所有者密碼憑據許可型別的更多詳細資訊,請參閱 OAuth 2.0 授權框架。 |
請求訪問令牌
|
有關資源所有者密碼憑據許可型別的訪問令牌請求/響應協議流程,請參閱 OAuth 2.0 授權框架。 |
針對資源所有者密碼憑據許可型別的 ReactiveOAuth2AccessTokenResponseClient 預設實現是 WebClientReactivePasswordTokenResponseClient,它在授權伺服器的令牌端點請求訪問令牌時使用 WebClient。
|
|
要定製 WebClientReactivePasswordTokenResponseClient,只需按以下示例提供一個 bean,預設的 ReactiveOAuth2AuthorizedClientManager 將自動拾取它。
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient() {
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Password> {
val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactivePasswordTokenResponseClient 非常靈活,併為定製密碼許可型別的 OAuth 2.0 訪問令牌請求和響應提供了多種選項。選擇以下用例以瞭解更多資訊:
定製訪問令牌請求
WebClientReactivePasswordTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭和請求引數的鉤子。
定製請求頭
定製 HTTP 頭有兩種選項:
-
透過呼叫
addHeadersConverter()新增額外的頭 -
透過呼叫
setHeadersConverter()完全定製頭
您可以使用 addHeadersConverter() 新增額外的頭,而不會影響新增到每個請求的預設頭。以下示例在 registrationId 為 spring 時向請求新增一個 User-Agent 頭。
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以透過複用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全定製頭。以下示例複用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼。
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)定製請求引數
定製請求引數有三種選項:
-
透過呼叫
addParametersConverter()新增額外引數 -
透過呼叫
setParametersConverter()覆蓋引數 -
透過呼叫
setParametersCustomizer()完全定製引數
|
使用 |
您可以使用 addParametersConverter() 包含額外引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationId 為 keycloak 時向請求新增一個 audience 引數。
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationId 為 okta 時覆蓋 client_id 引數。
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全定製引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數。
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}定製訪問令牌響應
WebClientReactivePasswordTokenResponseClient 提供了用於定製 OAuth 2.0 訪問令牌響應的鉤子。
定製響應引數
您可以透過呼叫 setBodyExtractor() 定製令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。
以下示例提供了定製令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點。
-
Java
-
Kotlin
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
提供自定義 |
定製 WebClient
或者,如果您的要求更高階,您可以透過向 setWebClient() 提供一個預配置的 WebClient 來完全控制請求和/或響應,如下例所示。
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactivePasswordTokenResponseClient accessTokenResponseClient =
new WebClientReactivePasswordTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactivePasswordTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 定製
無論您是定製 WebClientReactivePasswordTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder(作為釋出 bean 的替代方法)進行配置,如下所示。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> passwordTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password(configurer -> configurer.accessTokenResponseClient(passwordTokenResponseClient))
.refreshToken()
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);val passwordTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> = ...
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password { it.accessTokenResponseClient(passwordTokenResponseClient) }
.refreshToken()
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用訪問令牌
假設有以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: password
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token...以及 ReactiveOAuth2AuthorizedClientManager 的 @Bean
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
return authorizeRequest -> {
Map<String, Object> contextAttributes = Collections.emptyMap();
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
ServerHttpRequest request = exchange.getRequest();
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return Mono.just(contextAttributes);
};
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap<String, Any> = mutableMapOf()
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
val request: ServerHttpRequest = exchange.request
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
}
Mono.just(contextAttributes)
}
}您可以按如下方式獲取 OAuth2AccessToken
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
JWT Bearer
|
有關JWT Bearer 許可型別的更多詳細資訊,請參閱 OAuth 2.0 客戶端認證和授權許可型別的 JSON Web Token (JWT) Profile。 |
請求訪問令牌
|
有關 JWT Bearer 許可型別的訪問令牌請求/響應協議流程,請參閱 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants。 |
針對 JWT Bearer 許可型別的 ReactiveOAuth2AccessTokenResponseClient 預設實現是 WebClientReactiveJwtBearerTokenResponseClient,它在授權伺服器的令牌端點請求訪問令牌時使用 WebClient。
要定製 WebClientReactiveJwtBearerTokenResponseClient,只需按以下示例提供一個 bean,預設的 ReactiveOAuth2AuthorizedClientManager 將自動拾取它。
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient() {
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<JWT Bearer> {
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveJwtBearerTokenResponseClient 非常靈活,併為定製 JWT Bearer 許可型別的 OAuth 2.0 訪問令牌請求和響應提供了多種選項。選擇以下用例以瞭解更多資訊:
定製訪問令牌請求
WebClientReactiveJwtBearerTokenResponseClient 提供了用於定製令牌請求的 HTTP 頭和請求引數的鉤子。
定製請求頭
定製 HTTP 頭有兩種選項:
-
透過呼叫
addHeadersConverter()新增額外的頭 -
透過呼叫
setHeadersConverter()完全定製頭
您可以使用 addHeadersConverter() 新增額外的頭,而不會影響新增到每個請求的預設頭。以下示例在 registrationId 為 spring 時向請求新增一個 User-Agent 頭。
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以透過複用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全定製頭。以下示例複用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼。
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)定製請求引數
定製請求引數有三種選項:
-
透過呼叫
addParametersConverter()新增額外引數 -
透過呼叫
setParametersConverter()覆蓋引數 -
透過呼叫
setParametersCustomizer()完全定製引數
|
使用 |
您可以使用 addParametersConverter() 包含額外引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationId 為 keycloak 時向請求新增一個 audience 引數。
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationId 為 okta 時覆蓋 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全定製引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}定製訪問令牌響應
WebClientReactiveJwtBearerTokenResponseClient 提供了用於定製 OAuth 2.0 訪問令牌響應的鉤子。
定製響應引數
您可以透過呼叫 setBodyExtractor() 定製令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。
以下示例提供了定製令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點。
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
提供自定義 |
定製 WebClient
或者,如果您的要求更高階,您可以透過向 setWebClient() 提供一個預配置的 WebClient 來完全控制請求和/或響應,如下例所示。
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 Builder 定製
無論您是定製 WebClientReactiveJwtBearerTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,您都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder(作為釋出 bean 的替代方法)進行配置,如下所示。
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用訪問令牌
假設有以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token...以及 OAuth2AuthorizedClientManager 的 @Bean
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式獲取 OAuth2AccessToken
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
|
如果您需要從不同來源解析 |
令牌交換
|
有關令牌交換許可型別的更多詳細資訊,請參閱 OAuth 2.0 Token Exchange。 |
請求訪問令牌
|
有關令牌交換許可型別的令牌交換請求和響應協議流程,請參閱 OAuth 2.0 Token Exchange。 |
令牌交換(Token Exchange)授權模式的預設實現是 ReactiveOAuth2AccessTokenResponseClient,它在向授權伺服器(Authorization Server)的令牌端點(Token Endpoint)請求訪問令牌(Access Token)時使用 WebClient。
要定製 WebClientReactiveTokenExchangeTokenResponseClient,只需提供一個 bean,如下例所示,它將被預設的 ReactiveOAuth2AuthorizedClientManager 自動拾取。
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient() {
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Token Exchange> {
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveTokenExchangeTokenResponseClient 非常靈活,為令牌交換(Token Exchange)授權模式的 OAuth 2.0 訪問令牌(Access Token)請求和響應提供了多種定製選項。從以下用例中選擇以瞭解更多資訊:
定製訪問令牌(Access Token)請求
WebClientReactiveTokenExchangeTokenResponseClient 提供了用於定製令牌請求(Token Request)的 HTTP 頭部和請求引數的鉤子。
定製請求頭部
定製 HTTP 頭有兩種選項:
-
透過呼叫
addHeadersConverter()新增額外的頭 -
透過呼叫
setHeadersConverter()完全定製頭
您可以使用 addHeadersConverter() 新增額外的頭,而不會影響新增到每個請求的預設頭。以下示例在 registrationId 為 spring 時向請求新增一個 User-Agent 頭。
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}您可以透過複用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定義實現來完全定製頭。以下示例複用 DefaultOAuth2TokenRequestHeadersConverter 並停用 encodeClientCredentials,以便 HTTP Basic 憑據不再使用 application/x-www-form-urlencoded 進行編碼。
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)定製請求引數
定製請求引數有三種選項:
-
透過呼叫
addParametersConverter()新增額外引數 -
透過呼叫
setParametersConverter()覆蓋引數 -
透過呼叫
setParametersCustomizer()完全定製引數
|
使用 |
您可以使用 addParametersConverter() 包含額外引數,而不會影響新增到每個請求的預設引數。以下示例在 registrationId 為 keycloak 時向請求新增一個 audience 引數。
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}您可以使用 setParametersConverter() 覆蓋預設引數。以下示例在 registrationId 為 okta 時覆蓋 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全定製引數(包括省略預設引數)。以下示例在請求中存在 client_assertion 引數時省略 client_id 引數。
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}定製訪問令牌(Access Token)響應
WebClientReactiveTokenExchangeTokenResponseClient 提供了用於定製 OAuth 2.0 訪問令牌(Access Token)響應的鉤子。
定製響應引數
您可以透過呼叫 setBodyExtractor() 定製令牌響應引數到 OAuth2AccessTokenResponse 的轉換。OAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實現解析響應並相應地處理錯誤。
以下示例提供了定製令牌響應引數到 OAuth2AccessTokenResponse 轉換的起點。
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map(parameters -> OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
提供自定義 |
定製 WebClient
或者,如果您的要求更高階,您可以透過向 setWebClient() 提供一個預配置的 WebClient 來完全控制請求和/或響應,如下例所示。
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用構建器(Builder)定製
無論您是定製 WebClientReactiveTokenExchangeTokenResponseClient 還是提供自己的 ReactiveOAuth2AccessTokenResponseClient 實現,都可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder(作為釋出 Bean 的替代方案)進行配置,如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...
TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val tokenExchangeTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...
val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用訪問令牌(Access Token)
假設有以下用於 OAuth 2.0 客戶端註冊的 Spring Boot 屬性
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token...以及 OAuth2AuthorizedClientManager 的 @Bean
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式獲取 OAuth2AccessToken
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
預設情況下, |
|
如果您需要從不同來源解析主體令牌,可以為 |
|
如果您需要解析行為者令牌,可以為 |
