Class ServerOAuth2AuthorizedClientExchangeFilterFunction

    • Constructor Detail

      • ServerOAuth2AuthorizedClientExchangeFilterFunction

        public ServerOAuth2AuthorizedClientExchangeFilterFunction​(ReactiveClientRegistrationRepository clientRegistrationRepository,
                                                                  ServerOAuth2AuthorizedClientRepository authorizedClientRepository)
        Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.

        Since 5.3, when this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will be forwarded to a RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler, which will potentially remove the OAuth2AuthorizedClient from the given ServerOAuth2AuthorizedClientRepository, depending on the OAuth 2.0 error code returned. Authentication failures returned from an OAuth 2.0 Resource Server typically indicate that the token is invalid, and should not be used in future requests. Removing the authorized client from the repository will ensure that the existing token will not be sent for future requests to the Resource Server, and a new token is retrieved from Authorization Server and used for future requests to the Resource Server.

        Parameters:
        clientRegistrationRepository - the repository of client registrations
        authorizedClientRepository - the repository of authorized clients
    • Method Detail

      • oauth2AuthorizedClient

        public static java.util.function.Consumer<java.util.Map<java.lang.String,​java.lang.Object>> oauth2AuthorizedClient​(OAuth2AuthorizedClient authorizedClient)
        Modifies the ClientRequest.attributes() to include the OAuth2AuthorizedClient to be used for providing the Bearer Token. Example usage:
         WebClient webClient = WebClient.builder()
            .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager))
            .build();
         Mono<String> response = webClient
            .get()
            .uri(uri)
            .attributes(oauth2AuthorizedClient(authorizedClient))
            // ...
            .retrieve()
            .bodyToMono(String.class);
         
        An attempt to automatically refresh the token will be made if all of the following are true:
        • A refresh token is present on the OAuth2AuthorizedClient
        • The access token will be expired in setAccessTokenExpiresSkew(Duration)
        • The ReactiveSecurityContextHolder will be used to attempt to save the token. If it is empty, then the principal name on the OAuth2AuthorizedClient will be used to create an Authentication for saving.
        Parameters:
        authorizedClient - the OAuth2AuthorizedClient to use.
        Returns:
        the Consumer to populate the
      • serverWebExchange

        public static java.util.function.Consumer<java.util.Map<java.lang.String,​java.lang.Object>> serverWebExchange​(org.springframework.web.server.ServerWebExchange serverWebExchange)
        Modifies the ClientRequest.attributes() to include the ServerWebExchange to be used for providing the Bearer Token. Example usage:
         WebClient webClient = WebClient.builder()
            .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager))
            .build();
         Mono<String> response = webClient
            .get()
            .uri(uri)
            .attributes(serverWebExchange(serverWebExchange))
            // ...
            .retrieve()
            .bodyToMono(String.class);
         
        Parameters:
        serverWebExchange - the ServerWebExchange to use
        Returns:
        the Consumer to populate the client request attributes
      • setDefaultOAuth2AuthorizedClient

        public void setDefaultOAuth2AuthorizedClient​(boolean defaultOAuth2AuthorizedClient)
        If true, a default OAuth2AuthorizedClient can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.
        Parameters:
        defaultOAuth2AuthorizedClient - true if a default OAuth2AuthorizedClient should be used, else false. Default is false.
      • setDefaultClientRegistrationId

        public void setDefaultClientRegistrationId​(java.lang.String clientRegistrationId)
        If set, will be used as the default ClientRegistration.getRegistrationId(). It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
        Parameters:
        clientRegistrationId - the id to use
      • filter

        public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter​(org.springframework.web.reactive.function.client.ClientRequest request,
                                                                                                                   org.springframework.web.reactive.function.client.ExchangeFunction next)
        Specified by:
        filter in interface org.springframework.web.reactive.function.client.ExchangeFilterFunction