You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
157 lines
6.1 KiB
157 lines
6.1 KiB
[[oauth2-client]] |
|
= OAuth 2.0 Client |
|
:page-section-summary-toc: 1 |
|
|
|
The OAuth 2.0 Client features provide support for the Client role as defined in the https://tools.ietf.org/html/rfc6749#section-1.1[OAuth 2.0 Authorization Framework]. |
|
|
|
At a high-level, the core features available are: |
|
|
|
.Authorization Grant support |
|
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-authorization-code[Authorization Code] |
|
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-refresh-token[Refresh Token] |
|
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-client-credentials[Client Credentials] |
|
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-password[Resource Owner Password Credentials] |
|
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-jwt-bearer[JWT Bearer] |
|
* xref:servlet/oauth2/client/authorization-grants.adoc#oauth2-client-token-exchange[Token Exchange] |
|
|
|
.Client Authentication support |
|
* xref:servlet/oauth2/client/client-authentication.adoc#oauth2-client-authentication-jwt-bearer[JWT Bearer] |
|
|
|
.HTTP Client support (for requesting protected resources) |
|
* xref:servlet/oauth2/client/authorized-clients.adoc#oauth2-client-rest-client[`RestClient` integration] |
|
* xref:servlet/oauth2/client/authorized-clients.adoc#oauth2-client-web-client[`WebClient` integration for Servlet Environments] |
|
|
|
The `HttpSecurity.oauth2Client()` DSL provides a number of configuration options for customizing the core components used by OAuth 2.0 Client. |
|
In addition, `HttpSecurity.oauth2Client().authorizationCodeGrant()` enables the customization of the Authorization Code grant. |
|
|
|
The following code shows the complete configuration options provided by the `HttpSecurity.oauth2Client()` DSL: |
|
|
|
.OAuth2 Client Configuration Options |
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
@Configuration |
|
@EnableWebSecurity |
|
public class OAuth2ClientSecurityConfig { |
|
|
|
@Bean |
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { |
|
http |
|
.oauth2Client((oauth2) -> oauth2 |
|
.clientRegistrationRepository(this.clientRegistrationRepository()) |
|
.authorizedClientRepository(this.authorizedClientRepository()) |
|
.authorizedClientService(this.authorizedClientService()) |
|
.authorizationCodeGrant((codeGrant) -> codeGrant |
|
.authorizationRequestRepository(this.authorizationRequestRepository()) |
|
.authorizationRequestResolver(this.authorizationRequestResolver()) |
|
.accessTokenResponseClient(this.accessTokenResponseClient()) |
|
) |
|
); |
|
return http.build(); |
|
} |
|
} |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@Configuration |
|
@EnableWebSecurity |
|
class OAuth2ClientSecurityConfig { |
|
|
|
@Bean |
|
open fun filterChain(http: HttpSecurity): SecurityFilterChain { |
|
http { |
|
oauth2Client { |
|
clientRegistrationRepository = clientRegistrationRepository() |
|
authorizedClientRepository = authorizedClientRepository() |
|
authorizedClientService = authorizedClientService() |
|
authorizationCodeGrant { |
|
authorizationRequestRepository = authorizationRequestRepository() |
|
authorizationRequestResolver = authorizationRequestResolver() |
|
accessTokenResponseClient = accessTokenResponseClient() |
|
} |
|
} |
|
} |
|
return http.build() |
|
} |
|
} |
|
---- |
|
====== |
|
|
|
In addition to the `HttpSecurity.oauth2Client()` DSL, XML configuration is also supported. |
|
|
|
The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-client[ security namespace]: |
|
|
|
.OAuth2 Client XML Configuration Options |
|
[source,xml] |
|
---- |
|
<http> |
|
<oauth2-client client-registration-repository-ref="clientRegistrationRepository" |
|
authorized-client-repository-ref="authorizedClientRepository" |
|
authorized-client-service-ref="authorizedClientService"> |
|
<authorization-code-grant |
|
authorization-request-repository-ref="authorizationRequestRepository" |
|
authorization-request-resolver-ref="authorizationRequestResolver" |
|
access-token-response-client-ref="accessTokenResponseClient"/> |
|
</oauth2-client> |
|
</http> |
|
---- |
|
|
|
The `OAuth2AuthorizedClientManager` is responsible for managing the authorization (or re-authorization) of an OAuth 2.0 Client, in collaboration with one or more `OAuth2AuthorizedClientProvider`(s). |
|
|
|
The following code shows an example of how to register an `OAuth2AuthorizedClientManager` `@Bean` and associate it with an `OAuth2AuthorizedClientProvider` composite that provides support for the `authorization_code`, `refresh_token`, `client_credentials`, and `password` authorization grant types: |
|
|
|
[tabs] |
|
====== |
|
Java:: |
|
+ |
|
[source,java,role="primary"] |
|
---- |
|
@Bean |
|
public OAuth2AuthorizedClientManager authorizedClientManager( |
|
ClientRegistrationRepository clientRegistrationRepository, |
|
OAuth2AuthorizedClientRepository authorizedClientRepository) { |
|
|
|
OAuth2AuthorizedClientProvider authorizedClientProvider = |
|
OAuth2AuthorizedClientProviderBuilder.builder() |
|
.authorizationCode() |
|
.refreshToken() |
|
.clientCredentials() |
|
.password() |
|
.build(); |
|
|
|
DefaultOAuth2AuthorizedClientManager authorizedClientManager = |
|
new DefaultOAuth2AuthorizedClientManager( |
|
clientRegistrationRepository, authorizedClientRepository); |
|
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider); |
|
|
|
return authorizedClientManager; |
|
} |
|
---- |
|
|
|
Kotlin:: |
|
+ |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@Bean |
|
fun authorizedClientManager( |
|
clientRegistrationRepository: ClientRegistrationRepository, |
|
authorizedClientRepository: OAuth2AuthorizedClientRepository): OAuth2AuthorizedClientManager { |
|
val authorizedClientProvider: OAuth2AuthorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder() |
|
.authorizationCode() |
|
.refreshToken() |
|
.clientCredentials() |
|
.password() |
|
.build() |
|
val authorizedClientManager = DefaultOAuth2AuthorizedClientManager( |
|
clientRegistrationRepository, authorizedClientRepository) |
|
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider) |
|
return authorizedClientManager |
|
} |
|
---- |
|
======
|
|
|