This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.1!

HTTP Interface Integration

Spring Security’s OAuth Support can integrate with RestClient and WebClient HTTP Interface based REST Clients.

Configuration

After RestClient or WebClient specific configuration, usage of HTTP Interface Integration only requires adding a @ClientRegistrationId to methods that require OAuth.

Since the presense of @ClientRegistrationId determines if and how the OAuth token will be resolved, it is safe to add Spring Security’s OAuth support any configuration.

RestClient Configuration

Spring Security’s OAuth Support can integrate with HTTP Interface based REST Clients backed by RestClient. The first step is to create an OAuthAuthorizedClientManager Bean.

Next you must configure HttpServiceProxyFactory and RestClient to be aware of @ClientRegistrationId To simplify this configuration, use OAuth2RestClientHttpServiceGroupConfigurer.

Java
Kotlin

@Bean
OAuth2RestClientHttpServiceGroupConfigurer securityConfigurer(
		OAuth2AuthorizedClientManager manager) {
	return OAuth2RestClientHttpServiceGroupConfigurer.from(manager);
}

@Bean
fun securityConfigurer(manager: OAuth2AuthorizedClientManager): OAuth2RestClientHttpServiceGroupConfigurer {
    return OAuth2RestClientHttpServiceGroupConfigurer.from(manager)
}

The configuration:

Adds ClientRegistrationIdProcessor to HttpServiceProxyFactory
Adds OAuth2ClientHttpRequestInterceptor to the RestClient

WebClient Configuration

Spring Security’s OAuth Support can integrate with HTTP Interface based REST Clients backed by WebClient. The first step is to create an ReactiveOAuthAuthorizedClientManager Bean.

Next you must configure HttpServiceProxyFactory and WebRestClient to be aware of @ClientRegistrationId To simplify this configuration, use OAuth2WebClientHttpServiceGroupConfigurer.

Java
Kotlin

@Bean
OAuth2WebClientHttpServiceGroupConfigurer securityConfigurer(
		ReactiveOAuth2AuthorizedClientManager manager) {
	return OAuth2WebClientHttpServiceGroupConfigurer.from(manager);
}

@Bean
fun securityConfigurer(
    manager: ReactiveOAuth2AuthorizedClientManager?
): OAuth2WebClientHttpServiceGroupConfigurer {
    return OAuth2WebClientHttpServiceGroupConfigurer.from(manager)
}

The configuration:

Adds ClientRegistrationIdProcessor to HttpServiceProxyFactory
Adds ServerOAuth2AuthorizedClientExchangeFilterFunction to the WebClient

@ClientRegistrationId

You can add the ClientRegistrationId on the HTTP Interface to specify which ClientRegistration to use.

Java
Kotlin

	@GetExchange("/user")
	@ClientRegistrationId("github")
	User getAuthenticatedUser();

    @GetExchange("/user")
    @ClientRegistrationId("github")
    fun getAuthenticatedUser() : User

The @ClientRegistrationId will be processed by ClientRegistrationIdProcessor

`ClientRegistrationIdProcessor`

The configured ClientRegistrationIdProcessor will:

Automatically invoke ClientAttributes.clientRegistrationId(String) for each @ClientRegistrationId.
This adds the ClientRegistration.getId() to the attributes

The id is then processed by:

OAuth2ClientHttpRequestInterceptor for RestClient Integration
ServletOAuth2AuthorizedClientExchangeFilterFunction (servlets) or ServerOAuth2AuthorizedClientExchangeFilterFunction (reactive environments) for WebClient.