此版本仍在开发中,尚未被视为稳定版本。对于最新的稳定版本,请使用 Spring Security 6.4.3spring-doc.cadn.net.cn

授权客户端功能

解析授权客户端

@RegisteredOAuth2AuthorizedClientannotation 提供了将 method 参数解析为 type 为OAuth2AuthorizedClient. 与访问OAuth2AuthorizedClient使用OAuth2AuthorizedClientManagerOAuth2AuthorizedClientService.spring-doc.cadn.net.cn

@Controller
public class OAuth2ClientController {

	@GetMapping("/")
	public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
		OAuth2AccessToken accessToken = authorizedClient.getAccessToken();

		...

		return "index";
	}
}
@Controller
class OAuth2ClientController {
    @GetMapping("/")
    fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
        val accessToken = authorizedClient.accessToken

        ...

        return "index"
    }
}

@RegisteredOAuth2AuthorizedClientannotation 由OAuth2AuthorizedClientArgumentResolver,它直接使用OAuth2AuthorizedClientManager因此继承了它的能力。spring-doc.cadn.net.cn

用于 Servlet 环境的 WebClient 集成

OAuth 2.0 客户端支持与WebClient使用ExchangeFilterFunction.spring-doc.cadn.net.cn

ServletOAuth2AuthorizedClientExchangeFilterFunction提供了一种简单的机制,用于使用OAuth2AuthorizedClient并包括关联的OAuth2AccessToken作为 Bearer Token 进行验证。 它直接使用OAuth2AuthorizedClientManager因此继承了以下能力:spring-doc.cadn.net.cn

以下代码显示了如何配置WebClient使用 OAuth 2.0 客户端支持:spring-doc.cadn.net.cn

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
	ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	return WebClient.builder()
			.apply(oauth2Client.oauth2Configuration())
			.build();
}
@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
    val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build()
}

提供授权客户

ServletOAuth2AuthorizedClientExchangeFilterFunction通过解析OAuth2AuthorizedClientClientRequest.attributes()(请求属性)。spring-doc.cadn.net.cn

以下代码演示如何设置OAuth2AuthorizedClient作为请求属性:spring-doc.cadn.net.cn

@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
	String resourceUri = ...

	String body = webClient
			.get()
			.uri(resourceUri)
			.attributes(oauth2AuthorizedClient(authorizedClient))   (1)
			.retrieve()
			.bodyToMono(String.class)
			.block();

	...

	return "index";
}
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
    val resourceUri: String = ...
    val body: String = webClient
            .get()
            .uri(resourceUri)
            .attributes(oauth2AuthorizedClient(authorizedClient)) (1)
            .retrieve()
            .bodyToMono()
            .block()

    ...

    return "index"
}
1 oauth2AuthorizedClient()是一个staticmethod 中ServletOAuth2AuthorizedClientExchangeFilterFunction.

以下代码演示如何设置ClientRegistration.getRegistrationId()作为请求属性:spring-doc.cadn.net.cn

@GetMapping("/")
public String index() {
	String resourceUri = ...

	String body = webClient
			.get()
			.uri(resourceUri)
			.attributes(clientRegistrationId("okta"))   (1)
			.retrieve()
			.bodyToMono(String.class)
			.block();

	...

	return "index";
}
@GetMapping("/")
fun index(): String {
    val resourceUri: String = ...

    val body: String = webClient
            .get()
            .uri(resourceUri)
            .attributes(clientRegistrationId("okta"))  (1)
            .retrieve()
            .bodyToMono()
            .block()

    ...

    return "index"
}
1 clientRegistrationId()是一个staticmethod 中ServletOAuth2AuthorizedClientExchangeFilterFunction.

以下代码演示如何设置Authentication作为请求属性:spring-doc.cadn.net.cn

@GetMapping("/")
public String index() {
	String resourceUri = ...

	Authentication anonymousAuthentication = new AnonymousAuthenticationToken(
			"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
	String body = webClient
			.get()
			.uri(resourceUri)
			.attributes(authentication(anonymousAuthentication))   (1)
			.retrieve()
			.bodyToMono(String.class)
			.block();

	...

	return "index";
}
@GetMapping("/")
fun index(): String {
    val resourceUri: String = ...

    val anonymousAuthentication: Authentication = AnonymousAuthenticationToken(
            "anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"))
    val body: String = webClient
            .get()
            .uri(resourceUri)
            .attributes(authentication(anonymousAuthentication))  (1)
            .retrieve()
            .bodyToMono()
            .block()

    ...

    return "index"
}
1 authentication()是一个staticmethod 中ServletOAuth2AuthorizedClientExchangeFilterFunction.
建议谨慎使用此功能,因为所有 HTTP 请求都将收到绑定到提供的委托人的访问令牌。

默认授权客户端

如果两者都不是OAuth2AuthorizedClientClientRegistration.getRegistrationId()作为请求属性提供,ServletOAuth2AuthorizedClientExchangeFilterFunction可以根据客户端的配置确定要使用的默认客户端。spring-doc.cadn.net.cn

如果setDefaultOAuth2AuthorizedClient(true)已配置,并且用户已使用HttpSecurity.oauth2Login()OAuth2AccessToken与当前OAuth2AuthenticationToken被使用。spring-doc.cadn.net.cn

以下代码显示了具体配置:spring-doc.cadn.net.cn

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
	ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultOAuth2AuthorizedClient(true);
	return WebClient.builder()
			.apply(oauth2Client.oauth2Configuration())
			.build();
}
@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
    val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultOAuth2AuthorizedClient(true)
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build()
}
建议谨慎使用此功能,因为所有 HTTP 请求都将收到访问令牌。

或者,如果setDefaultClientRegistrationId("okta")配置了有效的ClientRegistrationOAuth2AccessTokenOAuth2AuthorizedClient被使用。spring-doc.cadn.net.cn

以下代码显示了具体配置:spring-doc.cadn.net.cn

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
	ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultClientRegistrationId("okta");
	return WebClient.builder()
			.apply(oauth2Client.oauth2Configuration())
			.build();
}
@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
    val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultClientRegistrationId("okta")
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build()
}
建议谨慎使用此功能,因为所有 HTTP 请求都将收到访问令牌。