Class ServerOAuth2AuthorizedClientExchangeFilterFunction
- All Implemented Interfaces:
org.springframework.web.reactive.function.client.ExchangeFilterFunction
OAuth2AuthorizedClient
to make OAuth2
requests by including the token as a Bearer Token.
Authentication and Authorization Failures
Since 5.3, this filter function has the ability to forward authentication (HTTP 401
Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0
Resource Server to a ReactiveOAuth2AuthorizationFailureHandler
. A
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
can be used to
remove the cached OAuth2AuthorizedClient
, so that future requests will result
in a new token being retrieved from an Authorization Server, and sent to the Resource
Server.
If the
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository)
constructor is used, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
will be
configured automatically.
If the
ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
constructor is used, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
will
NOT be configured automatically. It is recommended that you configure one via
setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)
.
- Since:
- 5.1
-
Constructor Summary
ConstructorDescriptionServerOAuth2AuthorizedClientExchangeFilterFunction
(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.ServerOAuth2AuthorizedClientExchangeFilterFunction
(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository) Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters. -
Method Summary
Modifier and TypeMethodDescriptionclientRegistrationId
(String clientRegistrationId) Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse>
filter
(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next) oauth2AuthorizedClient
(OAuth2AuthorizedClient authorizedClient) Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token.serverWebExchange
(org.springframework.web.server.ServerWebExchange serverWebExchange) Modifies theClientRequest.attributes()
to include theServerWebExchange
to be used for providing the Bearer Token.void
setAuthorizationFailureHandler
(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler) Sets the handler that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.void
setDefaultClientRegistrationId
(String clientRegistrationId) If set, will be used as the defaultClientRegistration.getRegistrationId()
.void
setDefaultOAuth2AuthorizedClient
(boolean defaultOAuth2AuthorizedClient) If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.web.reactive.function.client.ExchangeFilterFunction
andThen, apply
-
Constructor Details
-
ServerOAuth2AuthorizedClientExchangeFilterFunction
public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.When this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from a OAuth 2.0 Resource Server will NOT be forwarded to a
ReactiveOAuth2AuthorizationFailureHandler
. Therefore, future requests to the Resource Server will most likely use the same (most likely invalid) token, resulting in the same errors returned from the Resource Server. It is recommended to configure aRemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
viasetAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler)
so that authentication and authorization failures returned from a Resource Server will result in removing the authorized client, so that a new token is retrieved for future requests.- Parameters:
authorizedClientManager
- theReactiveOAuth2AuthorizedClientManager
which manages the authorized client(s)- Since:
- 5.2
-
ServerOAuth2AuthorizedClientExchangeFilterFunction
public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository, ServerOAuth2AuthorizedClientRepository authorizedClientRepository) Constructs aServerOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.Since 5.3, when this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will be forwarded to a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
, which will potentially remove theOAuth2AuthorizedClient
from the givenServerOAuth2AuthorizedClientRepository
, depending on the OAuth 2.0 error code returned. Authentication failures returned from an OAuth 2.0 Resource Server typically indicate that the token is invalid, and should not be used in future requests. Removing the authorized client from the repository will ensure that the existing token will not be sent for future requests to the Resource Server, and a new token is retrieved from Authorization Server and used for future requests to the Resource Server.- Parameters:
clientRegistrationRepository
- the repository of client registrationsauthorizedClientRepository
- the repository of authorized clients
-
-
Method Details
-
oauth2AuthorizedClient
public static Consumer<Map<String,Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token. Example usage:WebClient webClient = WebClient.builder() .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(oauth2AuthorizedClient(authorizedClient)) // ... .retrieve() .bodyToMono(String.class);
An attempt to automatically refresh the token will be made if all of the following are true:- A refresh token is present on the OAuth2AuthorizedClient
- The access token will be expired in 1 minute (the default)
- The
ReactiveSecurityContextHolder
will be used to attempt to save the token. If it is empty, then the principal name on the OAuth2AuthorizedClient will be used to create an Authentication for saving.
- Parameters:
authorizedClient
- theOAuth2AuthorizedClient
to use.- Returns:
- the
Consumer
to populate the
-
serverWebExchange
public static Consumer<Map<String,Object>> serverWebExchange(org.springframework.web.server.ServerWebExchange serverWebExchange) Modifies theClientRequest.attributes()
to include theServerWebExchange
to be used for providing the Bearer Token. Example usage:WebClient webClient = WebClient.builder() .filter(new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(serverWebExchange(serverWebExchange)) // ... .retrieve() .bodyToMono(String.class);
- Parameters:
serverWebExchange
- theServerWebExchange
to use- Returns:
- the
Consumer
to populate the client request attributes
-
clientRegistrationId
Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Parameters:
clientRegistrationId
- theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Returns:
- the
Consumer
to populate the attributes
-
setDefaultOAuth2AuthorizedClient
public void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient) If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.- Parameters:
defaultOAuth2AuthorizedClient
- true if a defaultOAuth2AuthorizedClient
should be used, else false. Default is false.
-
setDefaultClientRegistrationId
If set, will be used as the defaultClientRegistration.getRegistrationId()
. It is recommended to be cautious with this feature since all HTTP requests will receive the access token.- Parameters:
clientRegistrationId
- the id to use
-
filter
public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next) - Specified by:
filter
in interfaceorg.springframework.web.reactive.function.client.ExchangeFilterFunction
-
setAuthorizationFailureHandler
public void setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler) Sets the handler that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.For example, a
RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler
is typically used to remove the cachedOAuth2AuthorizedClient
, so that the same token is no longer used in future requests to the Resource Server.The failure handler used by default depends on which constructor was used to construct this
ServerOAuth2AuthorizedClientExchangeFilterFunction
. See the constructors for more details.- Parameters:
authorizationFailureHandler
- the handler that handles authentication and authorization failures.- Since:
- 5.3
-