|
对于最新的稳定版本,请使用 Spring Security 7.0.4! |
已授权客户端功能
本节介绍 Spring Security 为 OAuth2 客户端提供的附加功能。
解析授权客户端
@RegisteredOAuth2AuthorizedClient 注解提供了将方法参数解析为 OAuth2AuthorizedClient 类型参数值的能力。
与通过使用 OAuth2AuthorizedClient 或 OAuth2AuthorizedClientManager 来获取 OAuth2AuthorizedClientService 相比,这是一种更为便捷的替代方式。
以下示例展示了如何使用 @RegisteredOAuth2AuthorizedClient:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
OAuth2AccessToken accessToken = authorizedClient.getAccessToken();
...
return "index";
}
}@Controller
class OAuth2ClientController {
@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val accessToken = authorizedClient.accessToken
...
return "index"
}
}@RegisteredOAuth2AuthorizedClient 注解由 OAuth2AuthorizedClientArgumentResolver 处理,它直接使用 OAuth2AuthorizedClientManager,因此继承了其功能。
RestClient 集成
对 RestClient 的支持由 OAuth2ClientHttpRequestInterceptor 提供。
该拦截器通过在出站请求的 Bearer 头中放置一个 Authorization Tokens,从而具备发起受保护资源请求的能力。
该拦截器直接使用 OAuth2AuthorizedClientManager,因此继承了以下功能:
-
如果客户端尚未获得授权,则执行 OAuth 2.0 访问Tokens请求以获取
OAuth2AccessToken-
authorization_code:触发授权请求重定向以启动该流程 -
client_credentials:访问Tokens直接从Tokens端点(Token Endpoint)获取 -
password:访问Tokens直接从Tokens端点(Token Endpoint)获取 -
通过启用扩展授权类型来支持其他授权类型
-
-
如果现有的
OAuth2AccessToken已过期,则会对其进行刷新(或续期)
以下示例使用默认的 OAuth2AuthorizedClientManager 来配置一个 RestClient,该客户端能够通过在每个请求的 Bearer 头中放置 Authorization Tokens来访问受保护的资源:
RestClient 配置 ClientHttpRequestInterceptor-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}提供clientRegistrationId
OAuth2ClientHttpRequestInterceptor 使用 ClientRegistrationIdResolver 来确定使用哪个客户端获取访问Tokens。
默认情况下,使用 RequestAttributeClientRegistrationIdResolver 从 clientRegistrationId 中解析 HttpRequest#attributes()。
以下示例演示了通过属性提供 clientRegistrationId:
clientRegistrationId-
Java
-
Kotlin
import static org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId;
@Controller
public class ResourceController {
private final RestClient restClient;
public ResourceController(RestClient restClient) {
this.restClient = restClient;
}
@GetMapping("/")
public String index() {
String resourceUri = "...";
String body = this.restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.body(String.class);
// ...
return "index";
}
}import org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId
import org.springframework.web.client.body
@Controller
class ResourceController(private restClient: RestClient) {
@GetMapping("/")
fun index(): String {
val resourceUri = "..."
val body: String = restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.body<String>()
// ...
return "index"
}
}| 1 | clientRegistrationId() 是 static 方法,位于 RequestAttributeClientRegistrationIdResolver 中。 |
或者,也可以提供一个自定义的 ClientRegistrationIdResolver。
以下示例配置了一个自定义实现,该实现从当前用户解析 clientRegistrationId。
ClientHttpRequestInterceptor 配置 ClientRegistrationIdResolver-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
requestInterceptor.setClientRegistrationIdResolver(clientRegistrationIdResolver());
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
private static ClientRegistrationIdResolver clientRegistrationIdResolver() {
return (request) -> {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return (authentication instanceof OAuth2AuthenticationToken principal)
? principal.getAuthorizedClientRegistrationId() : null;
};
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
requestInterceptor.setClientRegistrationIdResolver(clientRegistrationIdResolver())
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
fun clientRegistrationIdResolver(): ClientRegistrationIdResolver {
return ClientRegistrationIdResolver { request ->
val authentication = SecurityContextHolder.getContext().getAuthentication()
return if (authentication instanceof OAuth2AuthenticationToken) {
authentication.getAuthorizedClientRegistrationId()
} else {
null
}
}
}
}提供principal
OAuth2ClientHttpRequestInterceptor 使用一个 PrincipalResolver 来确定与访问Tokens关联的主体名称,从而使应用程序能够选择如何限定所存储的 OAuth2AuthorizedClient 的作用范围。
默认情况下,使用 SecurityContextHolderPrincipalResolver 从 principal 中解析当前的 SecurityContextHolder。
或者,也可以通过配置 principal 从 HttpRequest#attributes() 中解析 RequestAttributePrincipalResolver,如下例所示:
ClientHttpRequestInterceptor 配置 RequestAttributePrincipalResolver-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
requestInterceptor.setPrincipalResolver(new RequestAttributePrincipalResolver());
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
requestInterceptor.setPrincipalResolver(RequestAttributePrincipalResolver())
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}以下示例演示了通过属性提供 principal 名称,将 OAuth2AuthorizedClient 的作用域限定为应用程序,而非当前用户:
principal 名称-
Java
-
Kotlin
import static org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId;
import static org.springframework.security.oauth2.client.web.client.RequestAttributePrincipalResolver.principal;
@Controller
public class ResourceController {
private final RestClient restClient;
public ResourceController(RestClient restClient) {
this.restClient = restClient;
}
@GetMapping("/")
public String index() {
String resourceUri = "...";
String body = this.restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta"))
.attributes(principal("my-application")) (1)
.retrieve()
.body(String.class);
// ...
return "index";
}
}import org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId
import org.springframework.security.oauth2.client.web.client.RequestAttributePrincipalResolver.principal
import org.springframework.web.client.body
@Controller
class ResourceController(private restClient: RestClient) {
@GetMapping("/")
fun index(): String {
val resourceUri = "..."
val body: String = restClient.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta"))
.attributes(principal("my-application")) (1)
.retrieve()
.body<String>()
// ...
return "index"
}
}| 1 | principal() 是 static 方法,位于 RequestAttributePrincipalResolver 中。 |
处理失败
如果访问Tokens因任何原因无效(例如Tokens已过期),通过移除该访问Tokens来处理此失败情况会很有帮助,以确保它不会被再次使用。
您可以通过提供一个 OAuth2AuthorizationFailureHandler 来自动配置拦截器,以移除访问Tokens。
以下示例使用 OAuth2AuthorizedClientRepository 来设置一个 OAuth2AuthorizationFailureHandler,该处理器会在 OAuth2AuthorizedClient 的上下文中移除无效的 HttpServletRequest。
OAuth2AuthorizationFailureHandler 配置 OAuth2AuthorizedClientRepository-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
OAuth2AuthorizationFailureHandler authorizationFailureHandler =
OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientRepository);
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager,
authorizedClientRepository: OAuth2AuthorizedClientRepository): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
val authorizationFailureHandler = OAuth2ClientHttpRequestInterceptor
.authorizationFailureHandler(authorizedClientRepository)
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler)
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}或者,可以使用 OAuth2AuthorizedClientService 在 OAuth2AuthorizedClient 上下文之外移除一个无效的 HttpServletRequest,如下例所示:
OAuth2AuthorizationFailureHandler 配置 OAuth2AuthorizedClientService-
Java
-
Kotlin
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager,
OAuth2AuthorizedClientService authorizedClientService) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
OAuth2AuthorizationFailureHandler authorizationFailureHandler =
OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientService);
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
}@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager,
authorizedClientService: OAuth2AuthorizedClientService): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
val authorizationFailureHandler = OAuth2ClientHttpRequestInterceptor
.authorizationFailureHandler(authorizedClientService)
requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler)
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
}适用于 Servlet 环境的 WebClient 集成
OAuth 2.0 客户端支持通过使用 WebClient 与 ExchangeFilterFunction 集成。
The ServletOAuth2AuthorizedClientExchangeFilterFunction 提供了一种机制,用于通过使用 OAuth2AuthorizedClient 并将关联的 OAuth2AccessToken 作为 Bearer Token 包含在内来请求受保护的资源。
它直接使用 OAuth2AuthorizedClientManager,因此继承了以下功能:
-
如果客户端尚未获得授权,则会请求一个
OAuth2AccessToken。-
authorization_code:触发授权请求重定向以启动流程。 -
client_credentials:访问Tokens直接从Tokens端点(Token Endpoint)获取。 -
password:访问Tokens直接从Tokens端点(Token Endpoint)获取。
-
-
如果
OAuth2AccessToken已过期,并且有可用的OAuth2AuthorizedClientProvider来执行授权,则会刷新(或续期)该Tokens。
以下代码展示了如何使用 OAuth 2.0 客户端支持来配置 WebClient 的示例:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}提供授权客户端
ServletOAuth2AuthorizedClientExchangeFilterFunction 通过从 OAuth2AuthorizedClient(请求属性)中解析出 ClientRequest.attributes() 来确定要使用的客户端(针对某个请求)。
以下代码展示了如何将 OAuth2AuthorizedClient 设置为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
String resourceUri = ...
String body = webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(oauth2AuthorizedClient(authorizedClient)) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | oauth2AuthorizedClient() 是 static 方法,位于 ServletOAuth2AuthorizedClientExchangeFilterFunction 中。 |
以下代码展示了如何将 ClientRegistration.getRegistrationId() 设置为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index() {
String resourceUri = ...
String body = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(clientRegistrationId("okta")) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | clientRegistrationId() 是 static 方法,位于 ServletOAuth2AuthorizedClientExchangeFilterFunction 中。 |
以下代码展示了如何将 Authentication 设置为请求属性:
-
Java
-
Kotlin
@GetMapping("/")
public String index() {
String resourceUri = ...
Authentication anonymousAuthentication = new AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
String body = webClient
.get()
.uri(resourceUri)
.attributes(authentication(anonymousAuthentication)) (1)
.retrieve()
.bodyToMono(String.class)
.block();
...
return "index";
}@GetMapping("/")
fun index(): String {
val resourceUri: String = ...
val anonymousAuthentication: Authentication = AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"))
val body: String = webClient
.get()
.uri(resourceUri)
.attributes(authentication(anonymousAuthentication)) (1)
.retrieve()
.bodyToMono()
.block()
...
return "index"
}| 1 | authentication() 是 static 方法,位于 ServletOAuth2AuthorizedClientExchangeFilterFunction 中。 |
|
建议谨慎使用此功能,因为所有 HTTP 请求都将收到一个与所提供的主体(principal)绑定的访问Tokens。 |
默认授权客户端
如果请求属性中既未提供 OAuth2AuthorizedClient,也未提供 ClientRegistration.getRegistrationId(),则 ServletOAuth2AuthorizedClientExchangeFilterFunction 可根据其配置确定要使用的默认客户端。
如果配置了 setDefaultOAuth2AuthorizedClient(true),并且用户已通过 HttpSecurity.oauth2Login() 进行身份验证,则将使用与当前 OAuth2AccessToken 关联的 OAuth2AuthenticationToken。
以下代码展示了具体的配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultOAuth2AuthorizedClient(true);
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultOAuth2AuthorizedClient(true)
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}|
请谨慎使用此功能,因为所有 HTTP 请求都会收到访问Tokens。 |
或者,如果使用有效的 setDefaultClientRegistrationId("okta") 配置了 ClientRegistration,则会使用与 OAuth2AccessToken 关联的 OAuth2AuthorizedClient。
以下代码展示了具体的配置:
-
Java
-
Kotlin
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("okta");
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth2Client.setDefaultClientRegistrationId("okta")
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build()
}|
请谨慎使用此功能,因为所有 HTTP 请求都会收到访问Tokens。 |