public final class ServletOAuth2AuthorizedClientExchangeFilterFunction
extends java.lang.Object
implements org.springframework.web.reactive.function.client.ExchangeFilterFunction
OAuth2AuthorizedClient
to make OAuth
2.0 requests by including the access
token
as a bearer token.
NOTE:This class is intended to be used in a Servlet
environment.
Example usage:
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2 = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); WebClient webClient = WebClient.builder() .apply(oauth2.oauth2Configuration()) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(oauth2AuthorizedClient(authorizedClient)) // ... .retrieve() .bodyToMono(String.class);
Since 5.3, this filter function has the ability to forward authentication (HTTP 401
Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0
Resource Server to a OAuth2AuthorizationFailureHandler
. A
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
can be used to remove
the cached OAuth2AuthorizedClient
, so that future requests will result in a new
token being retrieved from an Authorization Server, and sent to the Resource Server.
If the
ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)
constructor is used, a RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
will be configured automatically.
If the
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
constructor is used, a RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
will NOT be configured automatically. It is recommended that you configure one
via setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
.
Constructor and Description |
---|
ServletOAuth2AuthorizedClientExchangeFilterFunction() |
ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository)
Constructs a
ServletOAuth2AuthorizedClientExchangeFilterFunction using the
provided parameters. |
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager authorizedClientManager)
Constructs a
ServletOAuth2AuthorizedClientExchangeFilterFunction using the
provided parameters. |
Modifier and Type | Method and Description |
---|---|
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
authentication(Authentication authentication)
Modifies the
ClientRequest.attributes() to include the
Authentication used to look up and save the OAuth2AuthorizedClient . |
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
clientRegistrationId(java.lang.String clientRegistrationId)
Modifies the
ClientRequest.attributes() to include the
ClientRegistration.getRegistrationId() to be used to look up the
OAuth2AuthorizedClient . |
java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec<?>> |
defaultRequest()
Provides defaults for the
HttpServletRequest and the
HttpServletResponse using RequestContextHolder . |
reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> |
filter(org.springframework.web.reactive.function.client.ClientRequest request,
org.springframework.web.reactive.function.client.ExchangeFunction next) |
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
httpServletRequest(javax.servlet.http.HttpServletRequest request)
Modifies the
ClientRequest.attributes() to include the
HttpServletRequest used to look up and save the
OAuth2AuthorizedClient . |
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
httpServletResponse(javax.servlet.http.HttpServletResponse response)
Modifies the
ClientRequest.attributes() to include the
HttpServletResponse used to save the OAuth2AuthorizedClient . |
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> |
oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
Modifies the
ClientRequest.attributes() to include the
OAuth2AuthorizedClient to be used for providing the Bearer Token. |
java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.Builder> |
oauth2Configuration()
Configures the builder with
defaultRequest() and adds this as a
ExchangeFilterFunction |
void |
setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
Deprecated.
The
accessTokenExpiresSkew should be configured with the
specific OAuth2AuthorizedClientProvider implementation, e.g.
ClientCredentialsOAuth2AuthorizedClientProvider or
RefreshTokenOAuth2AuthorizedClientProvider . |
void |
setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler authorizationFailureHandler)
Sets the
OAuth2AuthorizationFailureHandler that handles authentication and
authorization failures when communicating to the OAuth 2.0 Resource Server. |
void |
setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
Deprecated.
Use
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
instead. Create an instance of
ClientCredentialsOAuth2AuthorizedClientProvider configured with a
DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it
to
DefaultOAuth2AuthorizedClientManager . |
void |
setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
If set, will be used as the default
ClientRegistration.getRegistrationId() . |
void |
setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
If true, a default
OAuth2AuthorizedClient can be discovered from the
current Authentication. |
public ServletOAuth2AuthorizedClientExchangeFilterFunction()
public ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager authorizedClientManager)
ServletOAuth2AuthorizedClientExchangeFilterFunction
using the
provided parameters.
When this constructor is used, authentication (HTTP 401) and authorization (HTTP
403) failures returned from an OAuth 2.0 Resource Server will NOT be
forwarded to an OAuth2AuthorizationFailureHandler
. Therefore, future
requests to the Resource Server will most likely use the same (likely invalid)
token, resulting in the same errors returned from the Resource Server. It is
recommended to configure a
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
via
setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
so that
authentication and authorization failures returned from a Resource Server will
result in removing the authorized client, so that a new token is retrieved for
future requests.
authorizedClientManager
- the OAuth2AuthorizedClientManager
which
manages the authorized client(s)public ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository)
ServletOAuth2AuthorizedClientExchangeFilterFunction
using the
provided parameters.
Since 5.3, when this constructor is used, authentication (HTTP 401) and
authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will
be forwarded to a RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
,
which will potentially remove the OAuth2AuthorizedClient
from the given
OAuth2AuthorizedClientRepository
, depending on the OAuth 2.0 error code
returned. Authentication failures returned from an OAuth 2.0 Resource Server
typically indicate that the token is invalid, and should not be used in future
requests. Removing the authorized client from the repository will ensure that the
existing token will not be sent for future requests to the Resource Server, and a
new token is retrieved from the Authorization Server and used for future requests
to the Resource Server.
clientRegistrationRepository
- the repository of client registrationsauthorizedClientRepository
- the repository of authorized clients@Deprecated public void setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
instead. Create an instance of
ClientCredentialsOAuth2AuthorizedClientProvider
configured with a
DefaultClientCredentialsTokenResponseClient
(or a custom one) and than supply it
to
DefaultOAuth2AuthorizedClientManager
.OAuth2AccessTokenResponseClient
used for getting an
OAuth2AuthorizedClient
for the client_credentials grant.clientCredentialsTokenResponseClient
- the client to usepublic void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
OAuth2AuthorizedClient
can be discovered from the
current Authentication. It is recommended to be cautious with this feature since
all HTTP requests will receive the access token if it can be resolved from the
current Authentication.defaultOAuth2AuthorizedClient
- true if a default
OAuth2AuthorizedClient
should be used, else false. Default is false.public void setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
ClientRegistration.getRegistrationId()
.
It is recommended to be cautious with this feature since all HTTP requests will
receive the access token.clientRegistrationId
- the id to usepublic java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.Builder> oauth2Configuration()
defaultRequest()
and adds this as a
ExchangeFilterFunction
Consumer
to configure the builderpublic java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec<?>> defaultRequest()
HttpServletRequest
and the
HttpServletResponse
using RequestContextHolder
. It also provides
defaults for the Authentication
using SecurityContextHolder
. It
also can default the OAuth2AuthorizedClient
using the
clientRegistrationId(String)
or the
authentication(Authentication)
.Consumer
to populate the attributespublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
ClientRequest.attributes()
to include the
OAuth2AuthorizedClient
to be used for providing the Bearer Token.authorizedClient
- the OAuth2AuthorizedClient
to use.Consumer
to populate the attributespublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> clientRegistrationId(java.lang.String clientRegistrationId)
ClientRequest.attributes()
to include the
ClientRegistration.getRegistrationId()
to be used to look up the
OAuth2AuthorizedClient
.clientRegistrationId
- the ClientRegistration.getRegistrationId()
to
be used to look up the OAuth2AuthorizedClient
.Consumer
to populate the attributespublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> authentication(Authentication authentication)
ClientRequest.attributes()
to include the
Authentication
used to look up and save the OAuth2AuthorizedClient
.
The value is defaulted in
defaultRequest()
authentication
- the Authentication
to use.Consumer
to populate the attributespublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> httpServletRequest(javax.servlet.http.HttpServletRequest request)
ClientRequest.attributes()
to include the
HttpServletRequest
used to look up and save the
OAuth2AuthorizedClient
. The value is defaulted in
defaultRequest()
request
- the HttpServletRequest
to use.Consumer
to populate the attributespublic static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> httpServletResponse(javax.servlet.http.HttpServletResponse response)
ClientRequest.attributes()
to include the
HttpServletResponse
used to save the OAuth2AuthorizedClient
. The
value is defaulted in
defaultRequest()
response
- the HttpServletResponse
to use.Consumer
to populate the attributes@Deprecated public void setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
accessTokenExpiresSkew
should be configured with the
specific OAuth2AuthorizedClientProvider
implementation, e.g.
ClientCredentialsOAuth2AuthorizedClientProvider
or
RefreshTokenOAuth2AuthorizedClientProvider
.accessTokenExpiresSkew
- the Duration to use.public void setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler authorizationFailureHandler)
OAuth2AuthorizationFailureHandler
that handles authentication and
authorization failures when communicating to the OAuth 2.0 Resource Server.
For example, a RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
is
typically used to remove the cached OAuth2AuthorizedClient
, so that the
same token is no longer used in future requests to the Resource Server.
The failure handler used by default depends on which constructor was used to
construct this ServletOAuth2AuthorizedClientExchangeFilterFunction
. See the
constructors for more details.
authorizationFailureHandler
- the OAuth2AuthorizationFailureHandler
that handles authentication and authorization failurespublic reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
filter
in interface org.springframework.web.reactive.function.client.ExchangeFilterFunction