Package org.springframework.security.oauth2.client.web.reactive.function.client

Class ServerOAuth2AuthorizedClientExchangeFilterFunction

java.lang.Object

org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction

All Implemented Interfaces:

org.springframework.web.reactive.function.client.ExchangeFilterFunction

public final class ServerOAuth2AuthorizedClientExchangeFilterFunction
extends java.lang.Object
implements org.springframework.web.reactive.function.client.ExchangeFilterFunction

Provides an easy mechanism for using an OAuth2AuthorizedClient to make OAuth2 requests by including the token as a Bearer Token.

Since:

5.1

Constructor Summary

Constructors

Constructor	Description
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)	Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository)	Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.

Method Summary

Modifier and Type	Method	Description
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>	clientRegistrationId(java.lang.String clientRegistrationId)	Modifies the ClientRequest.attributes() to include the ClientRegistration.getRegistrationId() to be used to look up the OAuth2AuthorizedClient.
reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse>	filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>	oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)	Modifies the ClientRequest.attributes() to include the OAuth2AuthorizedClient to be used for providing the Bearer Token.
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>	serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)	Modifies the ClientRequest.attributes() to include the ServerWebExchange to be used for providing the Bearer Token.
void	setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)	Deprecated. The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g.
void	setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)	Deprecated. Use ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead.
void	setDefaultClientRegistrationId(java.lang.String clientRegistrationId)	If set, will be used as the default ClientRegistration.getRegistrationId().
void	setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)	If true, a default OAuth2AuthorizedClient can be discovered from the current Authentication.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.web.reactive.function.client.ExchangeFilterFunction

andThen, apply

Constructor Detail

ServerOAuth2AuthorizedClientExchangeFilterFunction

public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)

Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.

Parameters:

authorizedClientManager - the ReactiveOAuth2AuthorizedClientManager which manages the authorized client(s)

Since:

5.2

ServerOAuth2AuthorizedClientExchangeFilterFunction

public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository,
                                                          ServerOAuth2AuthorizedClientRepository authorizedClientRepository)

Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.

Parameters:

clientRegistrationRepository - the repository of client registrations

authorizedClientRepository - the repository of authorized clients

Method Detail

oauth2AuthorizedClient

public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)

Modifies the ClientRequest.attributes() to include the OAuth2AuthorizedClient to be used for providing the Bearer Token. Example usage:

 WebClient webClient = WebClient.builder()
    .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager))
    .build();
 Mono response = webClient
    .get()
    .uri(uri)
    .attributes(oauth2AuthorizedClient(authorizedClient))
    // ...
    .retrieve()
    .bodyToMono(String.class);
 

An attempt to automatically refresh the token will be made if all of the following are true:

• A refresh token is present on the OAuth2AuthorizedClient
• The access token will be expired in setAccessTokenExpiresSkew(Duration)
• The ReactiveSecurityContextHolder will be used to attempt to save the token. If it is empty, then the principal name on the OAuth2AuthorizedClient will be used to create an Authentication for saving.

Parameters:

authorizedClient - the OAuth2AuthorizedClient to use.

Returns:

the Consumer to populate the

serverWebExchange

public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)

Modifies the ClientRequest.attributes() to include the ServerWebExchange to be used for providing the Bearer Token. Example usage:

 WebClient webClient = WebClient.builder()
    .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager))
    .build();
 Mono response = webClient
    .get()
    .uri(uri)
    .attributes(serverWebExchange(serverWebExchange))
    // ...
    .retrieve()
    .bodyToMono(String.class);
 

Parameters:

serverWebExchange - the ServerWebExchange to use

Returns:

the Consumer to populate the client request attributes

clientRegistrationId

public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> clientRegistrationId(java.lang.String clientRegistrationId)

Modifies the ClientRequest.attributes() to include the ClientRegistration.getRegistrationId() to be used to look up the OAuth2AuthorizedClient.

Parameters:

clientRegistrationId - the ClientRegistration.getRegistrationId() to be used to look up the OAuth2AuthorizedClient.

Returns:

the Consumer to populate the attributes

setDefaultOAuth2AuthorizedClient

public void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)

If true, a default OAuth2AuthorizedClient can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.

Parameters:

defaultOAuth2AuthorizedClient - true if a default OAuth2AuthorizedClient should be used, else false. Default is false.

setDefaultClientRegistrationId

public void setDefaultClientRegistrationId(java.lang.String clientRegistrationId)

If set, will be used as the default ClientRegistration.getRegistrationId(). It is recommended to be cautious with this feature since all HTTP requests will receive the access token.

Parameters:

clientRegistrationId - the id to use

setClientCredentialsTokenResponseClient

@Deprecated
public void setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)

Deprecated.

Use ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultReactiveOAuth2AuthorizedClientManager.

Sets the ReactiveOAuth2AccessTokenResponseClient used for getting an OAuth2AuthorizedClient for the client_credentials grant.

Parameters:

clientCredentialsTokenResponseClient - the client to use

setAccessTokenExpiresSkew

@Deprecated
public void setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)

Deprecated.

The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsReactiveOAuth2AuthorizedClientProvider or RefreshTokenReactiveOAuth2AuthorizedClientProvider.

An access token will be considered expired by comparing its expiration to now + this skewed Duration. The default is 1 minute.

Parameters:

accessTokenExpiresSkew - the Duration to use.

filter

public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request,
                                                                                                           org.springframework.web.reactive.function.client.ExchangeFunction next)

Specified by:

filter in interface org.springframework.web.reactive.function.client.ExchangeFilterFunction