|
此版本仍在开发中,尚不被认为是稳定的。对于最新的稳定版本,请使用 Spring Security 6.5.3! |
授权客户端功能
本节介绍 Spring Security for OAuth2 客户端提供的其他功能。
解决授权客户机
这@RegisteredOAuth2AuthorizedClient注释提供了将方法参数解析为类型为OAuth2AuthorizedClient.
与访问OAuth2AuthorizedClient通过使用OAuth2AuthorizedClientManager或OAuth2AuthorizedClientService.
以下示例演示如何使用@RegisteredOAuth2AuthorizedClient:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
...
return "index";
}
}@Controller
class OAuth2ClientController {
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val accessToken = authorizedClient.accessToken
...
return "index"
}
}这@RegisteredOAuth2AuthorizedClient注释由OAuth2AuthorizedClientArgumentResolver,它直接使用OAuth2AuthorizedClientManager因此,继承了它的能力。
RestClient 集成
对RestClient由OAuth2ClientHttpRequestInterceptor.
此拦截器提供了通过放置Bearertoken 中的Authorization出站请求的标头。
拦截器直接使用OAuth2AuthorizedClientManager因此继承了以下功能:
-
执行 OAuth 2.0 访问Tokens请求以获取
OAuth2AccessToken如果客户端尚未获得授权-
authorization_code:触发授权请求重定向以启动流 -
client_credentials:访问Tokens直接从Tokens端点获取 -
启用扩展授权类型支持其他授权类型
-
-
如果现有的
OAuth2AccessToken已过期,则刷新(或续订)
以下示例使用默认的OAuth2AuthorizedClientManager配置RestClient能够通过放置BearerTokens中的Authorization每个请求的标头:
配置
RestClient跟ClientHttpRequestInterceptor-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}提供clientRegistrationId
OAuth2ClientHttpRequestInterceptor使用ClientRegistrationIdResolver以确定使用哪个客户端来获取访问Tokens。
默认情况下,RequestAttributeClientRegistrationIdResolver用于解析clientRegistrationId从HttpRequest#attributes().
以下示例演示了提供clientRegistrationIdvia 属性:
提供
clientRegistrationId过孔属性-
Java
-
Kotlin
import static org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId;
@Controller
public class ResourceController {
private final RestClient restClient;
public ResourceController(RestClient restClient) {
this.restClient = restClient;
}
@GetMapping("/")
public String index() {
String resourceUri = "...";
String body = this.restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.body(String.class);
// ...
return "index";
}
}import org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId
import org.springframework.web.client.body
@Controller
class ResourceController(private restClient: RestClient) {
@GetMapping("/")
fun index(): String {
val resourceUri = "..."
val body: String = restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.body<String>()
// ...
return "index"
}
}| 1 | clientRegistrationId()是一个static方法RequestAttributeClientRegistrationIdResolver. |
或者,自定义ClientRegistrationIdResolver可以提供。
以下示例配置了一个自定义实现,该实现解析了clientRegistrationId来自当前用户。
配置
ClientHttpRequestInterceptor与自定义ClientRegistrationIdResolver-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
requestInterceptor.setClientRegistrationIdResolver(clientRegistrationIdResolver());
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
private static ClientRegistrationIdResolver clientRegistrationIdResolver() {
return (request) -> {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return (authentication instanceof OAuth2AuthenticationToken principal)
? principal.getAuthorizedClientRegistrationId() : null;
};
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
requestInterceptor.setClientRegistrationIdResolver(clientRegistrationIdResolver())
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
fun clientRegistrationIdResolver(): ClientRegistrationIdResolver {
return ClientRegistrationIdResolver { request ->
val authentication = SecurityContextHolder.getContext().getAuthentication()
return if (authentication instanceof OAuth2AuthenticationToken) {
authentication.getAuthorizedClientRegistrationId()
} else {
null
}
}
}
}提供principal
OAuth2ClientHttpRequestInterceptor使用PrincipalResolver确定哪个主体名称与访问Tokens相关联,这允许应用程序选择如何限定OAuth2AuthorizedClient即存储。
默认情况下,SecurityContextHolderPrincipalResolver用于解析当前principal从SecurityContextHolder.
或者,principal可以从HttpRequest#attributes()通过配置RequestAttributePrincipalResolver,如以下示例所示:
配置
ClientHttpRequestInterceptor跟RequestAttributePrincipalResolver-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
requestInterceptor.setPrincipalResolver(new RequestAttributePrincipalResolver());
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
requestInterceptor.setPrincipalResolver(RequestAttributePrincipalResolver())
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}以下示例演示了提供principalname 通过限定范围的属性OAuth2AuthorizedClient到应用程序而不是当前用户:
提供
principal通过属性命名-
Java
-
Kotlin
import static org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId;
import static org.springframework.security.oauth2.client.web.client.RequestAttributePrincipalResolver.principal;
@Controller
public class ResourceController {
private final RestClient restClient;
public ResourceController(RestClient restClient) {
this.restClient = restClient;
}
@GetMapping("/")
public String index() {
String resourceUri = "...";
String body = this.restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta"))
.attributes(principal("my-application")) (1)
.retrieve()
.body(String.class);
// ...
return "index";
}
}import org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId
import org.springframework.security.oauth2.client.web.client.RequestAttributePrincipalResolver.principal
import org.springframework.web.client.body
@Controller
class ResourceController(private restClient: RestClient) {
@GetMapping("/")
fun index(): String {
val resourceUri = "..."
val body: String = restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta"))
.attributes(principal("my-application")) (1)
.retrieve()
.body<String>()
// ...
return "index"
}
}| 1 | principal()是一个static方法RequestAttributePrincipalResolver. |
处理失败
如果访问Tokens因任何原因(例如Tokens过期)无效,则通过删除访问Tokens使其无法再次使用来处理失败可能会有所帮助。
您可以通过提供OAuth2AuthorizationFailureHandler以删除访问Tokens。
以下示例使用OAuth2AuthorizedClientRepository设置OAuth2AuthorizationFailureHandler删除无效的OAuth2AuthorizedClient 在HttpServletRequest:
配置
OAuth2AuthorizationFailureHandler用OAuth2AuthorizedClientRepository-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
OAuth2AuthorizationFailureHandler authorizationFailureHandler =
OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientRepository);
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager,
authorizedClientRepository: OAuth2AuthorizedClientRepository): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
val authorizationFailureHandler = OAuth2ClientHttpRequestInterceptor
.authorizationFailureHandler(authorizedClientRepository)
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler)
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}或者,一个OAuth2AuthorizedClientService可用于删除无效的OAuth2AuthorizedClient 在HttpServletRequest,如以下示例所示:
配置
OAuth2AuthorizationFailureHandler用OAuth2AuthorizedClientService-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager,
OAuth2AuthorizedClientService authorizedClientService) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
OAuth2AuthorizationFailureHandler authorizationFailureHandler =
OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientService);
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager,
authorizedClientService: OAuth2AuthorizedClientService): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
val authorizationFailureHandler = OAuth2ClientHttpRequestInterceptor
.authorizationFailureHandler(authorizedClientService)
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler)
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}HTTP 接口集成
Spring Security 的 OAuth 支持与 HTTP 接口集成集成。
Servlet 环境的 WebClient 集成
OAuth 2.0 客户端支持与WebClient通过使用ExchangeFilterFunction.
这ServletOAuth2AuthorizedClientExchangeFilterFunction提供了一种机制,用于使用OAuth2AuthorizedClient并包括相关的OAuth2AccessToken作为不记名Tokens。
它直接使用OAuth2AuthorizedClientManager因此,继承了以下功能:
-
一
OAuth2AccessToken如果客户端尚未获得授权,则请求。-
authorization_code:触发授权请求重定向以启动流。 -
client_credentials:访问Tokens直接从Tokens端点获取。
-
-
如果
OAuth2AccessToken已过期,如果OAuth2AuthorizedClientProvider可用于执行授权
以下代码演示了如何配置WebClient使用 OAuth 2.0 客户端支持:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}提供授权客户
这ServletOAuth2AuthorizedClientExchangeFilterFunction通过解析OAuth2AuthorizedClient从ClientRequest.attributes()(请求属性)。
以下代码演示了如何设置OAuth2AuthorizedClient作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
String resourceUri = ...
String body = webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | oauth2AuthorizedClient()是一个static方法ServletOAuth2AuthorizedClientExchangeFilterFunction. |
以下代码演示了如何设置ClientRegistration.getRegistrationId()作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index() {
String resourceUri = ...
String body = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | clientRegistrationId()是一个static方法ServletOAuth2AuthorizedClientExchangeFilterFunction. |
以下代码演示了如何设置Authentication作为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index() {
String resourceUri = ...
Authentication anonymousAuthentication = new AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
String body = webClient
.get()
.uri(resourceUri)
.attributes(authentication(anonymousAuthentication)) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val anonymousAuthentication: Authentication = AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"))
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(authentication(anonymousAuthentication)) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | authentication()是一个static方法ServletOAuth2AuthorizedClientExchangeFilterFunction. |
|
建议谨慎使用此功能,因为所有 HTTP 请求都将收到绑定到所提供主体的访问Tokens。 |
默认授权客户端
如果两者都不是OAuth2AuthorizedClient或ClientRegistration.getRegistrationId()作为请求属性提供,则ServletOAuth2AuthorizedClientExchangeFilterFunction可以确定要使用的默认客户端,具体取决于其配置。
如果setDefaultOAuth2AuthorizedClient(true)已配置,并且用户已使用HttpSecurity.oauth2Login()这OAuth2AccessToken与当前OAuth2AuthenticationToken被使用。
以下代码显示了具体配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultOAuth2AuthorizedClient(true);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultOAuth2AuthorizedClient(true)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}|
请谨慎使用此功能,因为所有 HTTP 请求都会收到访问Tokens。 |
或者,如果setDefaultClientRegistrationId("okta")配置了有效的ClientRegistration这OAuth2AccessToken与OAuth2AuthorizedClient被使用。
以下代码显示了具体配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("okta");
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultClientRegistrationId("okta")
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}|
请谨慎使用此功能,因为所有 HTTP 请求都会收到访问Tokens。 |