授权客户端功能
本节介绍了 Spring Security for OAuth2 Client 提供的其他功能。
解析授权客户端
这@RegisteredOAuth2AuthorizedClientannotation 提供了将 method 参数解析为 type 为OAuth2AuthorizedClient.
与访问OAuth2AuthorizedClient使用ReactiveOAuth2AuthorizedClientManager或ReactiveOAuth2AuthorizedClientService.
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@GetMapping("/")
public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
return Mono.just(authorizedClient.getAccessToken())
...
.thenReturn("index");
}
}@Controller
class OAuth2ClientController {
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
return Mono.just(authorizedClient.accessToken)
...
.thenReturn("index")
}
}这@RegisteredOAuth2AuthorizedClientannotation 由OAuth2AuthorizedClientArgumentResolver,它直接使用 ReactiveOAuth2AuthorizedClientManager,因此继承了它的功能。
反应式环境的 WebClient 集成
OAuth 2.0 客户端支持与WebClient使用ExchangeFilterFunction.
这ServerOAuth2AuthorizedClientExchangeFilterFunction提供了一种简单的机制,用于使用OAuth2AuthorizedClient并包括关联的OAuth2AccessToken作为 Bearer Token 进行验证。
它直接使用ReactiveOAuth2AuthorizedClientManager,因此继承了以下功能:
-
一
OAuth2AccessToken如果客户端尚未获得授权,将请求。-
authorization_code- 触发 Authorization Request 重定向以启动流 -
client_credentials- 访问令牌直接从 Token Endpoint 获取 -
password- 访问令牌直接从 Token Endpoint 获取
-
-
如果
OAuth2AccessToken已过期,如果ReactiveOAuth2AuthorizedClientProvider可用于执行授权
以下代码显示了如何配置WebClient使用 OAuth 2.0 客户端支持:
-
Java
-
Kotlin
@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
return WebClient.builder()
.filter(oauth2Client)
.build();
}@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
return WebClient.builder()
.filter(oauth2Client)
.build()
}提供授权客户
这ServerOAuth2AuthorizedClientExchangeFilterFunction通过解析OAuth2AuthorizedClient从ClientRequest.attributes()(请求属性)。
以下代码演示如何设置OAuth2AuthorizedClient作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
String resourceUri = ...
return webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono(String.class)
...
.thenReturn("index");
}@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
val resourceUri: String = ...
return webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono<String>()
...
.thenReturn("index")
}| 1 | oauth2AuthorizedClient()是一个staticmethod 中ServerOAuth2AuthorizedClientExchangeFilterFunction. |
以下代码演示如何设置ClientRegistration.getRegistrationId()作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public Mono<String> index() {
String resourceUri = ...
return webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono(String.class)
...
.thenReturn("index");
}@GetMapping("/")
fun index(): Mono<String> {
val resourceUri: String = ...
return webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono<String>()
...
.thenReturn("index")
}| 1 | clientRegistrationId()是一个staticmethod 中ServerOAuth2AuthorizedClientExchangeFilterFunction. |
默认授权客户端
如果两者都不是OAuth2AuthorizedClient或ClientRegistration.getRegistrationId()作为请求属性提供,ServerOAuth2AuthorizedClientExchangeFilterFunction可以根据客户端的配置确定要使用的默认客户端。
如果setDefaultOAuth2AuthorizedClient(true)已配置,并且用户已使用ServerHttpSecurity.oauth2Login()这OAuth2AccessToken与当前OAuth2AuthenticationToken被使用。
以下代码显示了具体配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultOAuth2AuthorizedClient(true);
return WebClient.builder()
.filter(oauth2Client)
.build();
}@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultOAuth2AuthorizedClient(true)
return WebClient.builder()
.filter(oauth2Client)
.build()
}|
建议谨慎使用此功能,因为所有 HTTP 请求都将收到访问令牌。 |
或者,如果setDefaultClientRegistrationId("okta")配置了有效的ClientRegistration这OAuth2AccessToken与OAuth2AuthorizedClient被使用。
以下代码显示了具体配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("okta");
return WebClient.builder()
.filter(oauth2Client)
.build();
}@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultClientRegistrationId("okta")
return WebClient.builder()
.filter(oauth2Client)
.build()
}|
建议谨慎使用此功能,因为所有 HTTP 请求都将收到访问令牌。 |