@ -93,7 +93,9 @@ The `OAuth2AuthorizedClientManager` is responsible for managing the authorizatio
@@ -93,7 +93,9 @@ The `OAuth2AuthorizedClientManager` is responsible for managing the authorizatio
The following code shows an example of how to register an `OAuth2AuthorizedClientManager` `@Bean` and associate it with an `OAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
[source,java]
====
.Java
[source,java,role="primary"]
----
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
@ -117,6 +119,27 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
@@ -117,6 +119,27 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
The following sections will go into more detail on the core components used by OAuth 2.0 Client and the configuration options available:
* <<oauth2Client-core-interface-class>>
@ -206,12 +229,21 @@ A `ClientRegistration` can be initially configured using discovery of an OpenID
@@ -206,12 +229,21 @@ A `ClientRegistration` can be initially configured using discovery of an OpenID
`ClientRegistrations` provides convenience methods for configuring a `ClientRegistration` in this way, as can be seen in the following example:
val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()
----
====
The above code will query in series `https://idp.example.com/issuer/.well-known/openid-configuration`, and then `https://idp.example.com/.well-known/openid-configuration/issuer`, and finally `https://idp.example.com/.well-known/oauth-authorization-server/issuer`, stopping at the first to return a 200 response.
As an alternative, you can use `ClientRegistrations.fromOidcIssuerLocation()` to only query the OpenID Connect Provider's Configuration endpoint.
@ -234,7 +266,9 @@ The auto-configuration also registers the `ClientRegistrationRepository` as a `@
@@ -234,7 +266,9 @@ The auto-configuration also registers the `ClientRegistrationRepository` as a `@
The following listing shows an example:
[source,java]
====
.Java
[source,java,role="primary"]
----
@Controller
public class OAuth2ClientController {
@ -254,6 +288,27 @@ public class OAuth2ClientController {
@@ -254,6 +288,27 @@ public class OAuth2ClientController {
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Controller
class OAuth2ClientController {
@Autowired
private lateinit var clientRegistrationRepository: ClientRegistrationRepository
@ -274,7 +329,9 @@ From a developer perspective, the `OAuth2AuthorizedClientRepository` or `OAuth2A
@@ -274,7 +329,9 @@ From a developer perspective, the `OAuth2AuthorizedClientRepository` or `OAuth2A
The following listing shows an example:
[source,java]
====
.Java
[source,java,role="primary"]
----
@Controller
public class OAuth2ClientController {
@ -296,6 +353,29 @@ public class OAuth2ClientController {
@@ -296,6 +353,29 @@ public class OAuth2ClientController {
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientService: OAuth2AuthorizedClientService
@GetMapping("/")
fun index(authentication: Authentication): String {
Spring Boot 2.x auto-configuration registers an `OAuth2AuthorizedClientRepository` and/or `OAuth2AuthorizedClientService` `@Bean` in the `ApplicationContext`.
However, the application may choose to override and register a custom `OAuth2AuthorizedClientRepository` or `OAuth2AuthorizedClientService` `@Bean`.
@ -328,7 +408,9 @@ The `OAuth2AuthorizedClientProviderBuilder` may be used to configure and build t
@@ -328,7 +408,9 @@ The `OAuth2AuthorizedClientProviderBuilder` may be used to configure and build t
The following code shows an example of how to configure and build an `OAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials` and `password` authorization grant types:
[source,java]
====
.Java
[source,java,role="primary"]
----
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
@ -352,6 +434,27 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
@@ -352,6 +434,27 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
When an authorization attempt succeeds, the `DefaultOAuth2AuthorizedClientManager` will delegate to the `OAuth2AuthorizationSuccessHandler`, which (by default) will save the `OAuth2AuthorizedClient` via the `OAuth2AuthorizedClientRepository`.
In the case of a re-authorization failure, eg. a refresh token is no longer valid, the previously saved `OAuth2AuthorizedClient` will be removed from the `OAuth2AuthorizedClientRepository` via the `RemoveAuthorizedClientOAuth2AuthorizationFailureHandler`.
The default behaviour may be customized via `setAuthorizationSuccessHandler(OAuth2AuthorizationSuccessHandler)` and `setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)`.
@ -361,7 +464,9 @@ This can be useful when you need to supply an `OAuth2AuthorizedClientProvider` w
@@ -361,7 +464,9 @@ This can be useful when you need to supply an `OAuth2AuthorizedClientProvider` w
The following code shows an example of the `contextAttributesMapper`:
[source,java]
====
.Java
[source,java,role="primary"]
----
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
The `DefaultOAuth2AuthorizedClientManager` is designed to be used *_within_* the context of a `HttpServletRequest`.
When operating *_outside_* of a `HttpServletRequest` context, use `AuthorizedClientServiceOAuth2AuthorizedClientManager` instead.
@ -413,7 +558,9 @@ An OAuth 2.0 Client configured with the `client_credentials` grant type can be c
@@ -413,7 +558,9 @@ An OAuth 2.0 Client configured with the `client_credentials` grant type can be c
The following code shows an example of how to configure an `AuthorizedClientServiceOAuth2AuthorizedClientManager` that provides support for the `client_credentials` grant type:
[source,java]
====
.Java
[source,java,role="primary"]
----
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
@ -434,6 +581,24 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
@@ -434,6 +581,24 @@ public OAuth2AuthorizedClientManager authorizedClientManager(
@ -545,7 +710,9 @@ OPTIONAL. Space delimited, case sensitive list of ASCII string values that speci
@@ -545,7 +710,9 @@ OPTIONAL. Space delimited, case sensitive list of ASCII string values that speci
The following example shows how to configure the `DefaultOAuth2AuthorizationRequestResolver` with a `Consumer<OAuth2AuthorizationRequest.Builder>` that customizes the Authorization Request for `oauth2Login()`, by including the request parameter `prompt=consent`.
[source,java]
====
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -587,6 +754,47 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@@ -587,6 +754,47 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
@Autowired
private lateinit var customClientRegistrationRepository: ClientRegistrationRepository
For the simple use case, where the additional request parameter is always the same for a specific provider, it may be added directly in the `authorization-uri` property.
For example, if the value for the request parameter `prompt` is always `consent` for the provider `okta`, than simply configure as follows:
@ -610,7 +818,9 @@ Alternatively, if your requirements are more advanced, you can take full control
@@ -610,7 +818,9 @@ Alternatively, if your requirements are more advanced, you can take full control
The following example shows a variation of `authorizationRequestCustomizer()` from the preceding example, and instead overrides the `OAuth2AuthorizationRequest.authorizationRequestUri` property.
@ -705,7 +930,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
@@ -705,7 +930,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `DefaultAuthorizationCodeTokenResponseClient.setRestOperations()` with a custom configured `RestOperations`.
The default `RestOperations` is configured as follows:
[source,java]
====
.Java
[source,java,role="primary"]
----
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(),
@ -714,6 +941,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
@@ -714,6 +941,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
TIP: Spring MVC `FormHttpMessageConverter` is required as it's used when sending the OAuth 2.0 Access Token Request.
`OAuth2AccessTokenResponseHttpMessageConverter` is a `HttpMessageConverter` for an OAuth 2.0 Access Token Response.
@ -806,7 +1044,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
@@ -806,7 +1044,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `DefaultRefreshTokenTokenResponseClient.setRestOperations()` with a custom configured `RestOperations`.
The default `RestOperations` is configured as follows:
[source,java]
====
.Java
[source,java,role="primary"]
----
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(),
@ -815,6 +1055,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
@@ -815,6 +1055,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
TIP: Spring MVC `FormHttpMessageConverter` is required as it's used when sending the OAuth 2.0 Access Token Request.
`OAuth2AccessTokenResponseHttpMessageConverter` is a `HttpMessageConverter` for an OAuth 2.0 Access Token Response.
@ -825,7 +1076,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
@@ -825,7 +1076,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
Whether you customize `DefaultRefreshTokenTokenResponseClient` or provide your own implementation of `OAuth2AccessTokenResponseClient`, you'll need to configure it as shown in the following example:
`OAuth2AuthorizedClientProviderBuilder.builder().refreshToken()` configures a `RefreshTokenOAuth2AuthorizedClientProvider`,
which is an implementation of an `OAuth2AuthorizedClientProvider` for the Refresh Token grant.
@ -880,7 +1150,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
@@ -880,7 +1150,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `DefaultClientCredentialsTokenResponseClient.setRestOperations()` with a custom configured `RestOperations`.
The default `RestOperations` is configured as follows:
[source,java]
====
.Java
[source,java,role="primary"]
----
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(),
@ -889,6 +1161,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
@@ -889,6 +1161,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
TIP: Spring MVC `FormHttpMessageConverter` is required as it's used when sending the OAuth 2.0 Access Token Request.
`OAuth2AccessTokenResponseHttpMessageConverter` is a `HttpMessageConverter` for an OAuth 2.0 Access Token Response.
@ -899,7 +1182,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
@@ -899,7 +1182,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
Whether you customize `DefaultClientCredentialsTokenResponseClient` or provide your own implementation of `OAuth2AccessTokenResponseClient`, you'll need to configure it as shown in the following example:
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
...
return "index"
}
}
----
====
[NOTE]
`HttpServletRequest` and `HttpServletResponse` are both OPTIONAL attributes.
If not provided, it will default to `ServletRequestAttributes` using `RequestContextHolder.getRequestAttributes()`.
@ -1031,7 +1384,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
@@ -1031,7 +1384,9 @@ IMPORTANT: The custom `Converter` must return a valid `RequestEntity` representa
On the other end, if you need to customize the post-handling of the Token Response, you will need to provide `DefaultPasswordTokenResponseClient.setRestOperations()` with a custom configured `RestOperations`.
The default `RestOperations` is configured as follows:
[source,java]
====
.Java
[source,java,role="primary"]
----
RestTemplate restTemplate = new RestTemplate(Arrays.asList(
new FormHttpMessageConverter(),
@ -1040,6 +1395,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
@@ -1040,6 +1395,17 @@ RestTemplate restTemplate = new RestTemplate(Arrays.asList(
TIP: Spring MVC `FormHttpMessageConverter` is required as it's used when sending the OAuth 2.0 Access Token Request.
`OAuth2AccessTokenResponseHttpMessageConverter` is a `HttpMessageConverter` for an OAuth 2.0 Access Token Response.
@ -1050,7 +1416,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
@@ -1050,7 +1416,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
Whether you customize `DefaultPasswordTokenResponseClient` or provide your own implementation of `OAuth2AccessTokenResponseClient`, you'll need to configure it as shown in the following example:
val authorizedClient = authorizedClientManager.authorize(authorizeRequest)
val accessToken: OAuth2AccessToken = authorizedClient.accessToken
...
return "index"
}
}
----
====
[NOTE]
`HttpServletRequest` and `HttpServletResponse` are both OPTIONAL attributes.
If not provided, it will default to `ServletRequestAttributes` using `RequestContextHolder.getRequestAttributes()`.
@ -1184,7 +1641,9 @@ If not provided, it will default to `ServletRequestAttributes` using `RequestCon
@@ -1184,7 +1641,9 @@ If not provided, it will default to `ServletRequestAttributes` using `RequestCon
The `@RegisteredOAuth2AuthorizedClient` annotation provides the capability of resolving a method parameter to an argument value of type `OAuth2AuthorizedClient`.
This is a convenient alternative compared to accessing the `OAuth2AuthorizedClient` using the `OAuth2AuthorizedClientManager` or `OAuth2AuthorizedClientService`.
[source,java]
====
.Java
[source,java,role="primary"]
----
@Controller
public class OAuth2ClientController {
@ -1200,6 +1659,23 @@ public class OAuth2ClientController {
@@ -1200,6 +1659,23 @@ public class OAuth2ClientController {
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Controller
class OAuth2ClientController {
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val accessToken = authorizedClient.accessToken
...
return "index"
}
}
----
====
The `@RegisteredOAuth2AuthorizedClient` annotation is handled by `OAuth2AuthorizedClientArgumentResolver`, which directly uses an <<oauth2Client-authorized-manager-provider, OAuth2AuthorizedClientManager>> and therefore inherits it's capabilities.
@ -1219,7 +1695,9 @@ It directly uses an <<oauth2Client-authorized-manager-provider, OAuth2Authorized
@@ -1219,7 +1695,9 @@ It directly uses an <<oauth2Client-authorized-manager-provider, OAuth2Authorized
The following code shows an example of how to configure `WebClient` with OAuth 2.0 Client support:
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}
----
====
==== Providing the Authorized Client
@ -1238,7 +1728,9 @@ The `ServletOAuth2AuthorizedClientExchangeFilterFunction` determines the client
@@ -1238,7 +1728,9 @@ The `ServletOAuth2AuthorizedClientExchangeFilterFunction` determines the client
The following code shows how to set an `OAuth2AuthorizedClient` as a request attribute:
[source,java]
====
.Java
[source,java,role="primary"]
----
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
@ -1257,11 +1749,35 @@ public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedCl
@@ -1257,11 +1749,35 @@ public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedCl
return "index";
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
<1> `oauth2AuthorizedClient()` is a `static` method in `ServletOAuth2AuthorizedClientExchangeFilterFunction`.
The following code shows how to set the `ClientRegistration.getRegistrationId()` as a request attribute:
[source,java]
====
.Java
[source,java,role="primary"]
----
@GetMapping("/")
public String index() {
@ -1280,6 +1796,28 @@ public String index() {
@@ -1280,6 +1796,28 @@ public String index() {
return "index";
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) <1>
.retrieve()
.bodyToMono()
.block()
...
return "index"
}
----
====
<1> `clientRegistrationId()` is a `static` method in `ServletOAuth2AuthorizedClientExchangeFilterFunction`.
@ -1291,7 +1829,9 @@ If `setDefaultOAuth2AuthorizedClient(true)` is configured and the user has authe
@@ -1291,7 +1829,9 @@ If `setDefaultOAuth2AuthorizedClient(true)` is configured and the user has authe
The following code shows the specific configuration:
It is recommended to be cautious with this feature since all HTTP requests will receive the access token.
@ -1311,7 +1865,9 @@ Alternatively, if `setDefaultClientRegistrationId("okta")` is configured with a
@@ -1311,7 +1865,9 @@ Alternatively, if `setDefaultClientRegistrationId("okta")` is configured with a
The following code shows the specific configuration:
Eleftheria Stein
5 years ago