Class ServerOAuth2AuthorizedClientExchangeFilterFunction
- java.lang.Object
-
- org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction
-
- All Implemented Interfaces:
org.springframework.web.reactive.function.client.ExchangeFilterFunction
public final class ServerOAuth2AuthorizedClientExchangeFilterFunction extends java.lang.Object implements org.springframework.web.reactive.function.client.ExchangeFilterFunction
Provides an easy mechanism for using anOAuth2AuthorizedClient
to make OAuth2 requests by including the token as a Bearer Token.Authentication and Authorization Failures
Since 5.3, this filter function has the ability to forward authentication (HTTP 401 Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0 Resource Server to a
ReactiveOAuth2AuthorizationFailureHandler
. ARemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
can be used to remove the cachedOAuth2AuthorizedClient
, so that future requests will result in a new token being retrieved from an Authorization Server, and sent to the Resource Server.If the
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository)
constructor is used, aRemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
will be configured automatically.If the
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
constructor is used, aRemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
will NOT be configured automatically. It is recommended that you configure one viasetAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)
.- Since:
- 5.1
-
-
Constructor Summary
Constructors Constructor Description ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)
Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository)
Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
clientRegistrationId(java.lang.String clientRegistrationId)
Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse>
filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token.static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)
Modifies theClientRequest.attributes()
to include theServerWebExchange
to be used for providing the Bearer Token.void
setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
Deprecated.TheaccessTokenExpiresSkew
should be configured with the specificReactiveOAuth2AuthorizedClientProvider
implementation, e.g.void
setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler)
Sets the handler that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.void
setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
Deprecated.void
setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
If set, will be used as the defaultClientRegistration.getRegistrationId()
.void
setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication.
-
-
-
Constructor Detail
-
ServerOAuth2AuthorizedClientExchangeFilterFunction
public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)
Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.When this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from a OAuth 2.0 Resource Server will NOT be forwarded to a
ReactiveOAuth2AuthorizationFailureHandler
. Therefore, future requests to the Resource Server will most likely use the same (most likely invalid) token, resulting in the same errors returned from the Resource Server. It is recommended to configure aRemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
viasetAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)
so that authentication and authorization failures returned from a Resource Server will result in removing the authorized client, so that a new token is retrieved for future requests.- Parameters:
authorizedClientManager
- theReactiveOAuth2AuthorizedClientManager
which manages the authorized client(s)- Since:
- 5.2
-
ServerOAuth2AuthorizedClientExchangeFilterFunction
public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository)
Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.Since 5.3, when this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will be forwarded to a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
, which will potentially remove theOAuth2AuthorizedClient
from the givenServerOAuth2AuthorizedClientRepository
, depending on the OAuth 2.0 error code returned. Authentication failures returned from an OAuth 2.0 Resource Server typically indicate that the token is invalid, and should not be used in future requests. Removing the authorized client from the repository will ensure that the existing token will not be sent for future requests to the Resource Server, and a new token is retrieved from Authorization Server and used for future requests to the Resource Server.- Parameters:
clientRegistrationRepository
- the repository of client registrationsauthorizedClientRepository
- the repository of authorized clients
-
-
Method Detail
-
oauth2AuthorizedClient
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token. Example usage:WebClient webClient = WebClient.builder() .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(oauth2AuthorizedClient(authorizedClient)) // ... .retrieve() .bodyToMono(String.class);
An attempt to automatically refresh the token will be made if all of the following are true:- A refresh token is present on the OAuth2AuthorizedClient
- The access token will be expired in
setAccessTokenExpiresSkew(Duration)
- The
ReactiveSecurityContextHolder
will be used to attempt to save the token. If it is empty, then the principal name on the OAuth2AuthorizedClient will be used to create an Authentication for saving.
- Parameters:
authorizedClient
- theOAuth2AuthorizedClient
to use.- Returns:
- the
Consumer
to populate the
-
serverWebExchange
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)
Modifies theClientRequest.attributes()
to include theServerWebExchange
to be used for providing the Bearer Token. Example usage:WebClient webClient = WebClient.builder() .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(serverWebExchange(serverWebExchange)) // ... .retrieve() .bodyToMono(String.class);
- Parameters:
serverWebExchange
- theServerWebExchange
to use- Returns:
- the
Consumer
to populate the client request attributes
-
clientRegistrationId
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> clientRegistrationId(java.lang.String clientRegistrationId)
Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Parameters:
clientRegistrationId
- theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Returns:
- the
Consumer
to populate the attributes
-
setDefaultOAuth2AuthorizedClient
public void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.- Parameters:
defaultOAuth2AuthorizedClient
- true if a defaultOAuth2AuthorizedClient
should be used, else false. Default is false.
-
setDefaultClientRegistrationId
public void setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
If set, will be used as the defaultClientRegistration.getRegistrationId()
. It is recommended to be cautious with this feature since all HTTP requests will receive the access token.- Parameters:
clientRegistrationId
- the id to use
-
setClientCredentialsTokenResponseClient
@Deprecated public void setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
Deprecated.UseServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
instead. Create an instance ofClientCredentialsReactiveOAuth2AuthorizedClientProvider
configured with aWebClientReactiveClientCredentialsTokenResponseClient
(or a custom one) and than supply it toDefaultReactiveOAuth2AuthorizedClientManager
.Sets theReactiveOAuth2AccessTokenResponseClient
used for getting anOAuth2AuthorizedClient
for the client_credentials grant.- Parameters:
clientCredentialsTokenResponseClient
- the client to use
-
setAccessTokenExpiresSkew
@Deprecated public void setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
Deprecated.TheaccessTokenExpiresSkew
should be configured with the specificReactiveOAuth2AuthorizedClientProvider
implementation, e.g.ClientCredentialsReactiveOAuth2AuthorizedClientProvider
orRefreshTokenReactiveOAuth2AuthorizedClientProvider
.An access token will be considered expired by comparing its expiration to now + this skewed Duration. The default is 1 minute.- Parameters:
accessTokenExpiresSkew
- the Duration to use.
-
filter
public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
- Specified by:
filter
in interfaceorg.springframework.web.reactive.function.client.ExchangeFilterFunction
-
setAuthorizationFailureHandler
public void setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler)
Sets the handler that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.For example, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
is typically used to remove the cachedOAuth2AuthorizedClient
, so that the same token is no longer used in future requests to the Resource Server.The failure handler used by default depends on which constructor was used to construct this
ServerOAuth2AuthorizedClientExchangeFilterFunction
. See the constructors for more details.- Parameters:
authorizationFailureHandler
- the handler that handles authentication and authorization failures.- Since:
- 5.3
-
-