Authorized Clients

Resolving an Authorized Client

@RegisteredOAuth2AuthorizedClient 注解提供了解析方法参数到类型为 OAuth2AuthorizedClient 的参数值的可能性。与使用 ReactiveOAuth2AuthorizedClientManagerReactiveOAuth2AuthorizedClientService 访问 OAuth2AuthorizedClient 相比,这是一个便捷的替代方法。

  • Java

  • Kotlin

@Controller
public class OAuth2ClientController {

	@GetMapping("/")
	public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
		return Mono.just(authorizedClient.getAccessToken())
				...
				.thenReturn("index");
	}
}
@Controller
class OAuth2ClientController {
    @GetMapping("/")
    fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
        return Mono.just(authorizedClient.accessToken)
                ...
                .thenReturn("index")
    }
}

@RegisteredOAuth2AuthorizedClient 注解由 OAuth2AuthorizedClientArgumentResolver 处理,它直接使用 ReactiveOAuth2AuthorizedClientManager 并因此继承了它的功能。

WebClient integration for Reactive Environments

OAuth 2.0 客户端支持通过使用 ExchangeFilterFunction 集成到 WebClient

ServerOAuth2AuthorizedClientExchangeFilterFunction 提供了一个简单的机制,通过使用 OAuth2AuthorizedClient 并包含关联 OAuth2AccessToken 作为 Bearer 令牌来请求受保护的资源。它直接使用 ReactiveOAuth2AuthorizedClientManager,因此继承了以下功能:

  • 如果客户端尚未获得授权,则将请求 OAuth2AccessToken

    • authorization_code - 触发授权请求重定向以启动流程

    • client_credentials - 直接从令牌端点获取访问令牌

    • password - 直接从令牌端点获取访问令牌

  • 如果 OAuth2AccessToken 已过期,并且有 ReactiveOAuth2AuthorizedClientProvider 可用于执行授权,则将刷新(或续订)它

下面的代码展示了如何将 OAuth2AuthorizedClientManager 与 OAuth 2.0 客户端支持进行配置的一个示例:

  • Java

  • Kotlin

@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	return WebClient.builder()
			.filter(oauth2Client)
			.build();
}
@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
}

Providing the Authorized Client

ServerOAuth2AuthorizedClientExchangeFilterFunction 通过从 ClientRequest.attributes()(请求属性)中解析 OAuth2AuthorizedClient 确定要用于(一个请求)的客户端。

下面的代码展示了如何将 OAuth2AuthorizedClient 设置为请求属性:

  • Java

  • Kotlin

@GetMapping("/")
public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
	String resourceUri = ...

	return webClient
			.get()
			.uri(resourceUri)
			.attributes(oauth2AuthorizedClient(authorizedClient))   1
			.retrieve()
			.bodyToMono(String.class)
			...
			.thenReturn("index");
}
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
    val resourceUri: String = ...

    return webClient
            .get()
            .uri(resourceUri)
            .attributes(oauth2AuthorizedClient(authorizedClient)) 1
            .retrieve()
            .bodyToMono<String>()
            ...
            .thenReturn("index")
}
<1>  `oauth2AuthorizedClient()` 是 `ServerOAuth2AuthorizedClientExchangeFilterFunction` 中的 `static` 方法。

下面的代码展示了如何将 ClientRequest.attributes() 设置为请求属性:

  • Java

  • Kotlin

@GetMapping("/")
public Mono<String> index() {
	String resourceUri = ...

	return webClient
			.get()
			.uri(resourceUri)
			.attributes(clientRegistrationId("okta"))   1
			.retrieve()
			.bodyToMono(String.class)
			...
			.thenReturn("index");
}
@GetMapping("/")
fun index(): Mono<String> {
    val resourceUri: String = ...

    return webClient
            .get()
            .uri(resourceUri)
            .attributes(clientRegistrationId("okta"))  1
            .retrieve()
            .bodyToMono<String>()
            ...
            .thenReturn("index")
}
<1>  `clientRegistrationId()` 是 `ServerOAuth2AuthorizedClientExchangeFilterFunction` 中的 `static` 方法。

Defaulting the Authorized Client

如果 OAuth2AuthorizedClientClientRegistration.getRegistrationId() 未提供为请求属性,则 ServerOAuth2AuthorizedClientExchangeFilterFunction 可以根据它的配置确定要使用的 default 客户端。

如果配置了 setDefaultOAuth2AuthorizedClient(true),并且用户已使用 ServerHttpSecurity.oauth2Login() 进行身份验证,则与当前 OAuth2AuthenticationToken 关联的 OAuth2AccessToken 被使用。

下面的代码展示了具体配置:

  • Java

  • Kotlin

@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultOAuth2AuthorizedClient(true);
	return WebClient.builder()
			.filter(oauth2Client)
			.build();
}
@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultOAuth2AuthorizedClient(true)
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
}

建议慎用此功能,因为所有 HTTP 请求都将收到访问令牌。

或者,如果 OAuth2AccessToken 使用有效的 OAuth2AuthenticationToken 进行配置,则与 setDefaultClientRegistrationId("okta") 相关联的 ClientRegistration 被使用。

下面的代码展示了具体配置:

  • Java

  • Kotlin

@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultClientRegistrationId("okta");
	return WebClient.builder()
			.filter(oauth2Client)
			.build();
}
@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultClientRegistrationId("okta")
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
}

建议慎用此功能,因为所有 HTTP 请求都将收到访问令牌。