public final class ServerOAuth2AuthorizedClientExchangeFilterFunction
extends java.lang.Object
implements org.springframework.web.reactive.function.client.ExchangeFilterFunction
OAuth2AuthorizedClient
to make OAuth2
requests by including the token as a Bearer Token.
Since 5.3, this filter function has the ability to forward authentication (HTTP 401
Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0
Resource Server to a ReactiveOAuth2AuthorizationFailureHandler
. A
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
can be used to
remove the cached OAuth2AuthorizedClient
, so that future requests will result
in a new token being retrieved from an Authorization Server, and sent to the Resource
Server.
If the
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository)
constructor is used, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
will be
configured automatically.
If the
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
constructor is used, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
will
NOT be configured automatically. It is recommended that you configure one via
setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)
.
Constructor and Description |
---|
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository)
Constructs a
ServerOAuth2AuthorizedClientExchangeFilterFunction using the
provided parameters. |
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)
Constructs a
ServerOAuth2AuthorizedClientExchangeFilterFunction using the
provided parameters. |
Modifier and Type | Method and Description |
---|---|
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
clientRegistrationId(java.lang.String clientRegistrationId)
Modifies the
ClientRequest.attributes() to include the
ClientRegistration.getRegistrationId() to be used to look up the
OAuth2AuthorizedClient . |
reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> |
filter(org.springframework.web.reactive.function.client.ClientRequest request,
org.springframework.web.reactive.function.client.ExchangeFunction next) |
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
Modifies the
ClientRequest.attributes() to include the
OAuth2AuthorizedClient to be used for providing the Bearer Token. |
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)
Modifies the
ClientRequest.attributes() to include the
ServerWebExchange to be used for providing the Bearer Token. |
void |
setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
Deprecated.
The
accessTokenExpiresSkew should be configured with the
specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g.
ClientCredentialsReactiveOAuth2AuthorizedClientProvider or
RefreshTokenReactiveOAuth2AuthorizedClientProvider . |
void |
setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler)
Sets the handler that handles authentication and authorization failures when
communicating to the OAuth 2.0 Resource Server.
|
void |
setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
Deprecated.
Use
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
instead. Create an instance of
ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a
WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than
supply it to
DefaultReactiveOAuth2AuthorizedClientManager . |
void |
setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
If set, will be used as the default
ClientRegistration.getRegistrationId() . |
void |
setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
If true, a default
OAuth2AuthorizedClient can be discovered from the
current Authentication. |
public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)
ServerOAuth2AuthorizedClientExchangeFilterFunction
using the
provided parameters.
When this constructor is used, authentication (HTTP 401) and authorization (HTTP
403) failures returned from a OAuth 2.0 Resource Server will NOT be
forwarded to a ReactiveOAuth2AuthorizationFailureHandler
. Therefore, future
requests to the Resource Server will most likely use the same (most likely invalid)
token, resulting in the same errors returned from the Resource Server. It is
recommended to configure a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
via
setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)
so that authentication and authorization failures returned from a Resource Server
will result in removing the authorized client, so that a new token is retrieved for
future requests.
authorizedClientManager
- the ReactiveOAuth2AuthorizedClientManager
which manages the authorized client(s)public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository)
ServerOAuth2AuthorizedClientExchangeFilterFunction
using the
provided parameters.
Since 5.3, when this constructor is used, authentication (HTTP 401) and
authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will
be forwarded to a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
, which will
potentially remove the OAuth2AuthorizedClient
from the given
ServerOAuth2AuthorizedClientRepository
, depending on the OAuth 2.0 error
code returned. Authentication failures returned from an OAuth 2.0 Resource Server
typically indicate that the token is invalid, and should not be used in future
requests. Removing the authorized client from the repository will ensure that the
existing token will not be sent for future requests to the Resource Server, and a
new token is retrieved from Authorization Server and used for future requests to
the Resource Server.
clientRegistrationRepository
- the repository of client registrationsauthorizedClientRepository
- the repository of authorized clientspublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
ClientRequest.attributes()
to include the
OAuth2AuthorizedClient
to be used for providing the Bearer Token. Example
usage:
WebClient webClient = WebClient.builder() .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(oauth2AuthorizedClient(authorizedClient)) // ... .retrieve() .bodyToMono(String.class);An attempt to automatically refresh the token will be made if all of the following are true:
setAccessTokenExpiresSkew(Duration)
ReactiveSecurityContextHolder
will be used to attempt to save the
token. If it is empty, then the principal name on the OAuth2AuthorizedClient will
be used to create an Authentication for saving.authorizedClient
- the OAuth2AuthorizedClient
to use.Consumer
to populate thepublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)
ClientRequest.attributes()
to include the
ServerWebExchange
to be used for providing the Bearer Token. Example usage:
WebClient webClient = WebClient.builder() .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(serverWebExchange(serverWebExchange)) // ... .retrieve() .bodyToMono(String.class);
serverWebExchange
- the ServerWebExchange
to useConsumer
to populate the client request attributespublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> clientRegistrationId(java.lang.String clientRegistrationId)
ClientRequest.attributes()
to include the
ClientRegistration.getRegistrationId()
to be used to look up the
OAuth2AuthorizedClient
.clientRegistrationId
- the ClientRegistration.getRegistrationId()
to
be used to look up the OAuth2AuthorizedClient
.Consumer
to populate the attributespublic void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
OAuth2AuthorizedClient
can be discovered from the
current Authentication. It is recommended to be cautious with this feature since
all HTTP requests will receive the access token if it can be resolved from the
current Authentication.defaultOAuth2AuthorizedClient
- true if a default
OAuth2AuthorizedClient
should be used, else false. Default is false.public void setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
ClientRegistration.getRegistrationId()
.
It is recommended to be cautious with this feature since all HTTP requests will
receive the access token.clientRegistrationId
- the id to use@Deprecated public void setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
instead. Create an instance of
ClientCredentialsReactiveOAuth2AuthorizedClientProvider
configured with a
WebClientReactiveClientCredentialsTokenResponseClient
(or a custom one) and than
supply it to
DefaultReactiveOAuth2AuthorizedClientManager
.ReactiveOAuth2AccessTokenResponseClient
used for getting an
OAuth2AuthorizedClient
for the client_credentials grant.clientCredentialsTokenResponseClient
- the client to use@Deprecated public void setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
accessTokenExpiresSkew
should be configured with the
specific ReactiveOAuth2AuthorizedClientProvider
implementation, e.g.
ClientCredentialsReactiveOAuth2AuthorizedClientProvider
or
RefreshTokenReactiveOAuth2AuthorizedClientProvider
.accessTokenExpiresSkew
- the Duration to use.public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
filter
in interface org.springframework.web.reactive.function.client.ExchangeFilterFunction
public void setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler)
For example, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
is
typically used to remove the cached OAuth2AuthorizedClient
, so that the
same token is no longer used in future requests to the Resource Server.
The failure handler used by default depends on which constructor was used to
construct this ServerOAuth2AuthorizedClientExchangeFilterFunction
. See the
constructors for more details.
authorizationFailureHandler
- the handler that handles authentication and
authorization failures.