|
对于最新的稳定版本,请使用 Spring Security 6.4.1! |
授权客户端功能
本节介绍 Spring Security 为 OAuth2 客户端提供的其他功能。
解析授权客户端
这@RegisteredOAuth2AuthorizedClientannotation 提供了将 method 参数解析为 type 为 argument 值的功能OAuth2AuthorizedClient.
与访问OAuth2AuthorizedClient通过使用OAuth2AuthorizedClientManager或OAuth2AuthorizedClientService.
以下示例演示如何使用@RegisteredOAuth2AuthorizedClient:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
...
return "index";
}
}@Controller
class OAuth2ClientController {
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val accessToken = authorizedClient.accessToken
...
return "index"
}
}这@RegisteredOAuth2AuthorizedClientannotation 由OAuth2AuthorizedClientArgumentResolver,它直接使用OAuth2AuthorizedClientManager因此,继承了它的能力。
用于 Servlet 环境的 WebClient 集成
OAuth 2.0 客户端支持与WebClient通过使用ExchangeFilterFunction.
这ServletOAuth2AuthorizedClientExchangeFilterFunction提供了一种使用OAuth2AuthorizedClient并包括关联的OAuth2AccessToken作为 Bearer Token 进行验证。
它直接使用OAuth2AuthorizedClientManager因此,继承了以下功能:
-
一
OAuth2AccessToken如果客户端尚未获得授权,则请求。-
authorization_code:触发 Authorization Request 重定向以启动流。 -
client_credentials:访问令牌直接从 Token Endpoint 获取。 -
password:访问令牌直接从 Token Endpoint 获取。
-
-
如果
OAuth2AccessToken已过期,则如果OAuth2AuthorizedClientProvider可用于执行授权
以下代码显示了如何配置WebClient使用 OAuth 2.0 客户端支持:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}提供授权客户
这ServletOAuth2AuthorizedClientExchangeFilterFunction通过解析OAuth2AuthorizedClient从ClientRequest.attributes()(请求属性)。
以下代码演示如何设置OAuth2AuthorizedClient作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
String resourceUri = ...
String body = webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | oauth2AuthorizedClient()是一个staticmethod 中ServletOAuth2AuthorizedClientExchangeFilterFunction. |
以下代码演示如何设置ClientRegistration.getRegistrationId()作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index() {
String resourceUri = ...
String body = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | clientRegistrationId()是一个staticmethod 中ServletOAuth2AuthorizedClientExchangeFilterFunction. |
以下代码演示如何设置Authentication作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index() {
String resourceUri = ...
Authentication anonymousAuthentication = new AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
String body = webClient
.get()
.uri(resourceUri)
.attributes(authentication(anonymousAuthentication)) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val anonymousAuthentication: Authentication = AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"))
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(authentication(anonymousAuthentication)) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | authentication()是一个staticmethod 中ServletOAuth2AuthorizedClientExchangeFilterFunction. |
| 建议谨慎使用此功能,因为所有 HTTP 请求都将收到绑定到提供的委托人的访问令牌。 |
默认授权客户端
如果两者都不是OAuth2AuthorizedClient或ClientRegistration.getRegistrationId()作为请求属性提供,ServletOAuth2AuthorizedClientExchangeFilterFunction可以确定要使用的默认客户端,具体取决于其配置。
如果setDefaultOAuth2AuthorizedClient(true),并且用户已使用HttpSecurity.oauth2Login()这OAuth2AccessToken与当前OAuth2AuthenticationToken被使用。
以下代码显示了具体配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultOAuth2AuthorizedClient(true);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultOAuth2AuthorizedClient(true)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}|
请谨慎使用此功能,因为所有 HTTP 请求都会收到访问令牌。 |
或者,如果setDefaultClientRegistrationId("okta")配置了有效的ClientRegistration这OAuth2AccessToken与OAuth2AuthorizedClient被使用。
以下代码显示了具体配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("okta");
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultClientRegistrationId("okta")
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}|
请谨慎使用此功能,因为所有 HTTP 请求都会收到访问令牌。 |