Package org.springframework.security.oauth2.client.web.reactive.function.client

Class ServerOAuth2AuthorizedClientExchangeFilterFunction

java.lang.Object
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction
All Implemented Interfaces:
org.springframework.web.reactive.function.client.ExchangeFilterFunction
public final class ServerOAuth2AuthorizedClientExchangeFilterFunction extends Object implements org.springframework.web.reactive.function.client.ExchangeFilterFunction
Provides an easy mechanism for using an OAuth2AuthorizedClient to make OAuth2 requests by including the token as a Bearer Token.

Authentication and Authorization Failures

Since 5.3, this filter function has the ability to forward authentication (HTTP 401 Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0 Resource Server to a ReactiveOAuth2AuthorizationFailureHandler. A RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler can be used to remove the cached OAuth2AuthorizedClient, so that future requests will result in a new token being retrieved from an Authorization Server, and sent to the Resource Server.

If the ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository) constructor is used, a RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler will be configured automatically.

If the ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) constructor is used, a RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler will NOT be configured automatically. It is recommended that you configure one via setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler).

Since:
5.1

  • Constructor Details

    • ServerOAuth2AuthorizedClientExchangeFilterFunction

      public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager)
      Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.

      When this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from a OAuth 2.0 Resource Server will NOT be forwarded to a ReactiveOAuth2AuthorizationFailureHandler. Therefore, future requests to the Resource Server will most likely use the same (most likely invalid) token, resulting in the same errors returned from the Resource Server. It is recommended to configure a RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler via setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler) so that authentication and authorization failures returned from a Resource Server will result in removing the authorized client, so that a new token is retrieved for future requests.

      Parameters:
      authorizedClientManager - the ReactiveOAuth2AuthorizedClientManager which manages the authorized client(s)
      Since:
      5.2

    • ServerOAuth2AuthorizedClientExchangeFilterFunction

      public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository)
      Constructs a ServerOAuth2AuthorizedClientExchangeFilterFunction using the provided parameters.

      Since 5.3, when this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will be forwarded to a RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler, which will potentially remove the OAuth2AuthorizedClient from the given ServerOAuth2AuthorizedClientRepository, depending on the OAuth 2.0 error code returned. Authentication failures returned from an OAuth 2.0 Resource Server typically indicate that the token is invalid, and should not be used in future requests. Removing the authorized client from the repository will ensure that the existing token will not be sent for future requests to the Resource Server, and a new token is retrieved from Authorization Server and used for future requests to the Resource Server.

      Parameters:
      clientRegistrationRepository - the repository of client registrations
      authorizedClientRepository - the repository of authorized clients

  • Method Details

    • oauth2AuthorizedClient

      public static Consumer<Map<String,Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
      Modifies the ClientRequest.attributes() to include the OAuth2AuthorizedClient to be used for providing the Bearer Token. Example usage: 
       WebClient webClient = WebClient.builder()
    .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager))
    .build();
 Mono<String> response = webClient
    .get()
    .uri(uri)
    .attributes(oauth2AuthorizedClient(authorizedClient))
    // ...
    .retrieve()
    .bodyToMono(String.class);
      An attempt to automatically refresh the token will be made if all of the following are true:
      • A refresh token is present on the OAuth2AuthorizedClient
      • The access token will be expired in 1 minute (the default)
      • The ReactiveSecurityContextHolder will be used to attempt to save the token. If it is empty, then the principal name on the OAuth2AuthorizedClient will be used to create an Authentication for saving.
      Parameters:
      authorizedClient - the OAuth2AuthorizedClient to use.
      Returns:
      the Consumer to populate the

    • serverWebExchange

      public static Consumer<Map<String,Object>> serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange)
      Modifies the ClientRequest.attributes() to include the ServerWebExchange to be used for providing the Bearer Token. Example usage: 
       WebClient webClient = WebClient.builder()
    .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager))
    .build();
 Mono<String> response = webClient
    .get()
    .uri(uri)
    .attributes(serverWebExchange(serverWebExchange))
    // ...
    .retrieve()
    .bodyToMono(String.class);
      Parameters:
      serverWebExchange - the ServerWebExchange to use
      Returns:
      the Consumer to populate the client request attributes

    • clientRegistrationId

      public static Consumer<Map<String,Object>> clientRegistrationId(String clientRegistrationId)
      Modifies the ClientRequest.attributes() to include the ClientRegistration.getRegistrationId() to be used to look up the OAuth2AuthorizedClient.
      Parameters:
      clientRegistrationId - the ClientRegistration.getRegistrationId() to be used to look up the OAuth2AuthorizedClient.
      Returns:
      the Consumer to populate the attributes

    • setDefaultOAuth2AuthorizedClient

      public void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
      If true, a default OAuth2AuthorizedClient can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.
      Parameters:
      defaultOAuth2AuthorizedClient - true if a default OAuth2AuthorizedClient should be used, else false. Default is false.

    • setDefaultClientRegistrationId

      public void setDefaultClientRegistrationId(String clientRegistrationId)
      If set, will be used as the default ClientRegistration.getRegistrationId(). It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
      Parameters:
      clientRegistrationId - the id to use

    • filter

      public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
      Specified by:
      filter in interface org.springframework.web.reactive.function.client.ExchangeFilterFunction

    • setAuthorizationFailureHandler

      public void setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler)
      Sets the handler that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.

      For example, a RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler is typically used to remove the cached OAuth2AuthorizedClient, so that the same token is no longer used in future requests to the Resource Server.

      The failure handler used by default depends on which constructor was used to construct this ServerOAuth2AuthorizedClientExchangeFilterFunction. See the constructors for more details.

      Parameters:
      authorizationFailureHandler - the handler that handles authentication and authorization failures.
      Since:
      5.3