|
此版本仍在开发中,尚未被视为稳定版本。如需最新稳定版本,请使用 Spring Security 7.0.4! |
授权许可支持
本节介绍 Spring Security 对授权许可(authorization grants)的支持。
授权码
|
请参阅OAuth 2.0 授权框架以获取有关授权码(Authorization Code)授予方式的更多信息。 |
获取授权
|
请参阅授权请求/响应协议流程,了解授权码授予方式。 |
发起授权请求
The OAuth2AuthorizationRequestRedirectWebFilter 使用 ServerOAuth2AuthorizationRequestResolver 来解析一个 OAuth2AuthorizationRequest,并通过重定向最终用户的用户代理到授权服务器的授权端点来启动授权码授予流程。
The primary role of the ServerOAuth2AuthorizationRequestResolver is to resolve an OAuth2AuthorizationRequest from the provided web request.
The default implementation DefaultServerOAuth2AuthorizationRequestResolver matches on the (default) path /oauth2/authorization/{registrationId} extracting the registrationId and using it to build the OAuth2AuthorizationRequest for the associated ClientRegistration.
给定以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token带有基础路径/oauth2/authorization/okta的请求将由OAuth2AuthorizationRequestRedirectWebFilter发起授权请求重定向,并最终启动授权码授予流程。
|
|
如果OAuth 2.0客户端是公共客户端,则配置OAuth 2.0客户端注册如下:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
# ...公共客户端支持使用 Proof Key for Code Exchange (PKCE)。 如果客户端在不受信任的环境中运行(例如,桌面应用程序或基于Web浏览器的应用程序),因此无法保护其凭据的秘密性,则在满足以下条件时将自动启用PKCE:
-
client-secret被省略(或为空) -
client-authentication-method被设置为none(ClientAuthenticationMethod.NONE)
or
-
当
ClientRegistration.clientSettings.requireProofKey为true时(在此情况下,ClientRegistration.authorizationGrantType必须为authorization_code)
|
如果 OAuth 2.0 授权服务器不支持机密客户端使用 PKCE,则需要通过将 |
以下配置使用了所有受支持的URI模板变量:
spring:
security:
oauth2:
client:
registration:
okta:
# ...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
# ...|
|
配置redirect-uri时使用URI模板变量特别有用,特别是在OAuth 2.0客户端运行在代理服务器后面的情况下。
这确保了在展开X-Forwarded-*时会使用redirect-uri头。
自定义授权请求
ServerOAuth2AuthorizationRequestResolver 可以实现的一个主要用例是自定义授权请求,可以在标准的 OAuth 2.0 授权框架定义的参数之上添加额外的参数。
例如,OpenID Connect 为授权码流程定义了额外的 OAuth 2.0 请求参数,这些参数是对OAuth 2.0 授权框架中定义的标准参数的扩展。
其中一个扩展参数是 prompt 参数。
|
|
以下示例展示了如何使用一个 DefaultServerOAuth2AuthorizationRequestResolver 来配置 Consumer<OAuth2AuthorizationRequest.Builder>,通过添加请求参数 oauth2Login() 来自定义 prompt=consent 的授权请求。
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange((authorize) -> authorize
.anyExchange().authenticated()
)
.oauth2Login((oauth2) -> oauth2
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
ReactiveClientRegistrationRepository clientRegistrationRepository) {
DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository);
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters((params) -> params.put("prompt", "consent"));
}
}@Configuration
@EnableWebFluxSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
return http.build()
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository)
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}对于简单的使用场景,如果额外的请求参数对特定提供者总是相同的,可以将其直接添加在authorization-uri属性中。
例如,如果请求参数prompt的值对于提供者consent总是为okta,那么只需配置如下:
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent前面的示例展示了在标准参数之上添加自定义参数的常见用法。
如果您有更高级的需求,可以通过覆盖 OAuth2AuthorizationRequest.authorizationRequestUri 属性来自定义构建授权请求 URI。
|
|
以下示例展示了与前面示例中的authorizationRequestCustomizer()略有不同的实现,但它会覆盖OAuth2AuthorizationRequest.authorizationRequestUri属性。
-
Java
-
Kotlin
private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri((uriBuilder) -> uriBuilder
.queryParam("prompt", "consent").build());
}private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}存储授权请求
ServerAuthorizationRequestRepository 负责在授权请求发起之时到接收到授权响应(即回调)期间,对 OAuth2AuthorizationRequest 进行持久化。
|
|
ServerAuthorizationRequestRepository 的默认实现是 WebSessionOAuth2ServerAuthorizationRequestRepository,它将 OAuth2AuthorizationRequest 存储在 WebSession 中。
如果您的自定义实现ServerAuthorizationRequestRepository,可以如以下示例所示进行配置:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client((oauth2) -> oauth2
.authorizationRequestRepository(this.authorizationRequestRepository())
// ...
);
return http.build();
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authorizationRequestRepository = authorizationRequestRepository()
}
}
return http.build()
}
}请求访问Tokens
|
请参阅访问Tokens请求/响应协议流程,了解授权码授予方式。 |
默认实现ReactiveOAuth2AccessTokenResponseClient的授权码授予类型是WebClientReactiveAuthorizationCodeTokenResponseClient,它使用WebClient在授权服务器的Tokens端点处通过授权码交换访问Tokens。
要自定义WebClientReactiveAuthorizationCodeTokenResponseClient,只需如以下示例一样提供一个 bean,并且它将被默认的ReactiveOAuth2AuthorizedClientManager自动识别:
WebClientReactiveAuthorizationCodeTokenResponseClient 非常灵活,提供了多种选项用于自定义授权码许可(Authorization Code grant)的 OAuth 2.0 访问Tokens请求和响应。
请从以下使用场景中选择以了解更多信息:
自定义访问Tokens请求
WebClientReactiveAuthorizationCodeTokenResponseClient 提供了自定义 Token 请求的 HTTP 头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
WebClientReactiveAuthorizationCodeTokenResponseClient 提供了自定义 OAuth 2.0 访问Tokens响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数转换为OAuth2AccessTokenResponse的方式,通过调用setBodyExtractor()。
默认实现 OAuth2BodyExtractors.oauth2AccessTokenResponse() 会解析响应并相应处理错误。
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map((parameters) -> parameters.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义的 |
自定义WebClient
Alternatively, 如果您的需求更加复杂,您可以为WebClient提供一个预配置的setWebClient()以完全控制请求和/或响应,如以下示例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用 DSL 进行自定义
无论您是自定义WebClientReactiveAuthorizationCodeTokenResponseClient,还是提供您自己的ReactiveOAuth2AccessTokenResponseClient实现,都可以通过DSL进行配置(作为发布bean的替代方法),如下例所示:
-
Java
-
Kotlin
@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client((oauth2) -> oauth2
.authenticationManager(this.authorizationCodeAuthenticationManager())
// ...
);
return http.build();
}
private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
// ...
return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
}
}@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
http {
oauth2Client {
authenticationManager = authorizationCodeAuthenticationManager()
}
}
return http.build()
}
private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
// ...
return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
}
}刷新Tokens
|
请参阅OAuth 2.0授权框架以获取有关刷新Tokens的进一步详情。 |
刷新访问Tokens
|
请参阅访问Tokens请求/响应协议流程,了解刷新Tokens授予的内容。 |
默认实现ReactiveOAuth2AccessTokenResponseClient的Refresh Token授权方式是WebClientReactiveRefreshTokenTokenResponseClient,它在刷新访问Tokens时使用WebClient来访问授权服务器的Token Endpoint。
要自定义WebClientReactiveRefreshTokenTokenResponseClient,只需如以下示例一样提供一个 bean,并且它将被默认的ReactiveOAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient() {
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Refresh Token> {
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveRefreshTokenTokenResponseClient 非常灵活,并提供了多种选项来自定义 OAuth 2.0 刷新Tokens grant 的访问Tokens请求和响应。
从以下用例中选择以获取更多信息:
自定义访问Tokens请求
WebClientReactiveRefreshTokenTokenResponseClient 提供了自定义 Token 请求的 HTTP 头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
WebClientReactiveRefreshTokenTokenResponseClient 提供了自定义 OAuth 2.0 访问Tokens响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数转换为OAuth2AccessTokenResponse的方式,通过调用setBodyExtractor()。
默认实现 OAuth2BodyExtractors.oauth2AccessTokenResponse() 会解析响应并相应处理错误。
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map((parameters) -> parameters.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义的 |
自定义WebClient
Alternatively, 如果您的需求更加复杂,您可以为WebClient提供一个预配置的setWebClient()以完全控制请求和/或响应,如以下示例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveRefreshTokenTokenResponseClient accessTokenResponseClient =
new WebClientReactiveRefreshTokenTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveRefreshTokenTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用构建器进行自定义
是否自定义WebClientReactiveRefreshTokenTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient的实现,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken((configurer) -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
The OAuth2RefreshToken 可能会在authorization_code 授权类型的访问Tokens响应中被选中。
如果OAuth2AuthorizedClient.getRefreshToken()可用且OAuth2AuthorizedClient.getAccessToken()过期,那么它将由RefreshTokenReactiveOAuth2AuthorizedClientProvider自动刷新。
客户端凭证
|
有关客户端凭证授权类型的更多详细信息,请参阅 OAuth 2.0 授权框架。 |
请求访问Tokens
|
请参阅访问Tokens请求/响应协议流程,了解客户端凭证授权的相关信息。 |
默认实现ReactiveOAuth2AccessTokenResponseClient的客户端凭据授权方式是WebClientReactiveClientCredentialsTokenResponseClient,它在请求访问Tokens时使用WebClient来访问授权服务器的Tokens端点。
要自定义WebClientReactiveClientCredentialsTokenResponseClient,只需如以下示例一样提供一个 bean,并且它将被默认的ReactiveOAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient() {
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Client Credentials> {
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveClientCredentialsTokenResponseClient 非常灵活,并提供了多种自定义 OAuth 2.0 Access Token 请求和响应选项,适用于 Client Credentials 授予方式。
请选择以下用例以获取更多信息:
自定义访问Tokens请求
WebClientReactiveClientCredentialsTokenResponseClient 提供了自定义 Token 请求的 HTTP 头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
WebClientReactiveClientCredentialsTokenResponseClient 提供了自定义 OAuth 2.0 访问Tokens响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数转换为OAuth2AccessTokenResponse的方式,通过调用setBodyExtractor()。
默认实现 OAuth2BodyExtractors.oauth2AccessTokenResponse() 会解析响应并相应处理错误。
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map((parameters) -> parameters.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义的 |
自定义WebClient
Alternatively, 如果您的需求更加复杂,您可以为WebClient提供一个预配置的setWebClient()以完全控制请求和/或响应,如以下示例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient =
new WebClientReactiveClientCredentialsTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveClientCredentialsTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用构建器进行自定义
是否自定义WebClientReactiveClientCredentialsTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient的实现,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials((configurer) -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)|
|
使用访问Tokens
给定以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token... 和 ReactiveOAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
JWT Bearer
|
有关 JWT Bearer 授权的更多详细信息,请参阅《OAuth 2.0 客户端认证与授权许可的 JSON Web Token (JWT) 规范》。 |
请求访问Tokens
|
请参阅访问Tokens请求/响应协议流程,了解 JWT Bearer 授权类型。 |
默认实现ReactiveOAuth2AccessTokenResponseClient的JWT Bearer授权方式是WebClientReactiveJwtBearerTokenResponseClient,它在请求访问Tokens时使用WebClient从授权服务器(Authorization Server)的Tokens端点(Token Endpoint)获取Tokens。
要自定义WebClientReactiveJwtBearerTokenResponseClient,只需如以下示例一样提供一个 bean,并且它将被默认的ReactiveOAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient() {
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<JWT Bearer> {
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveJwtBearerTokenResponseClient 非常灵活,提供了多种选项用于自定义 JWT Bearer 授权的 OAuth 2.0 访问Tokens请求和响应。
请从以下使用场景中选择以了解更多信息:
自定义访问Tokens请求
WebClientReactiveJwtBearerTokenResponseClient 提供了自定义 Token 请求的 HTTP 头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
WebClientReactiveJwtBearerTokenResponseClient 提供了自定义 OAuth 2.0 访问Tokens响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数转换为OAuth2AccessTokenResponse的方式,通过调用setBodyExtractor()。
默认实现 OAuth2BodyExtractors.oauth2AccessTokenResponse() 会解析响应并相应处理错误。
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map((parameters) -> parameters.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义的 |
自定义WebClient
Alternatively, 如果您的需求更加复杂,您可以为WebClient提供一个预配置的setWebClient()以完全控制请求和/或响应,如以下示例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveJwtBearerTokenResponseClient accessTokenResponseClient =
new WebClientReactiveJwtBearerTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveJwtBearerTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用构建器进行自定义
是否自定义WebClientReactiveJwtBearerTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient的实现,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用访问Tokens
给定以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token... 和 OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
|
如果你需要从其他来源解析 |
Tokens交换
|
有关Tokens交换授权的更多详细信息,请参阅 OAuth 2.0 Tokens交换。 |
请求访问Tokens
|
请参阅Tokens交换请求与响应协议流程,了解Tokens交换授权的相关内容。 |
默认实现ReactiveOAuth2AccessTokenResponseClient的Token Exchange授权类型是WebClientReactiveTokenExchangeTokenResponseClient,它在请求访问Tokens时使用WebClient来向授权服务器的Token端点发出请求。
要自定义WebClientReactiveTokenExchangeTokenResponseClient,只需如以下示例一样提供一个 bean,并且它将被默认的ReactiveOAuth2AuthorizedClientManager自动识别:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> accessTokenResponseClient() {
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
// ...
return accessTokenResponseClient;
}@Bean
fun accessTokenResponseClient(): ReactiveOAuth2AccessTokenResponseClient<Token Exchange> {
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
// ...
return accessTokenResponseClient
}WebClientReactiveTokenExchangeTokenResponseClient 非常灵活,并提供了多种选项来自定义 OAuth 2.0 Access Token 的请求和响应(针对 Token Exchange 授予方式)。
选择以下用例以获取更多信息:
自定义访问Tokens请求
WebClientReactiveTokenExchangeTokenResponseClient 提供了自定义 Token 请求的 HTTP 头和请求参数的钩子。
自定义请求头
有两种自定义 HTTP 头部的选项:
-
通过调用
addHeadersConverter()添加额外的请求头 -
通过调用
setHeadersConverter()完全自定义标头
你可以使用 addHeadersConverter() 方法添加额外的请求头,而不会影响每个请求默认添加的请求头。
以下示例在 User-Agent 为 registrationId 时,向请求中添加一个 spring 请求头:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addHeadersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
HttpHeaders headers = new HttpHeaders();
if (clientRegistration.getRegistrationId().equals("spring")) {
headers.set(HttpHeaders.USER_AGENT, "my-user-agent");
}
return headers;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addHeadersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val headers = HttpHeaders()
if (clientRegistration.getRegistrationId() == "spring") {
headers[HttpHeaders.USER_AGENT] = "my-user-agent"
}
headers
}你可以通过复用 DefaultOAuth2TokenRequestHeadersConverter 或使用 setHeadersConverter() 提供自定义实现来完全自定义请求头。
以下示例复用了 DefaultOAuth2TokenRequestHeadersConverter,并禁用了 encodeClientCredentials,从而使得 HTTP Basic 凭据不再使用 application/x-www-form-urlencoded 进行编码:
-
Java
-
Kotlin
DefaultOAuth2TokenRequestHeadersConverter headersConverter =
new DefaultOAuth2TokenRequestHeadersConverter();
headersConverter.setEncodeClientCredentials(false);
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setHeadersConverter(headersConverter);val headersConverter = DefaultOAuth2TokenRequestHeadersConverter()
headersConverter.setEncodeClientCredentials(false)
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setHeadersConverter(headersConverter)自定义请求参数
有三种选项可用于自定义请求参数:
-
通过调用
addParametersConverter()添加额外参数 -
通过调用
setParametersConverter()来覆盖参数 -
通过调用
setParametersCustomizer()完全自定义参数
|
使用 |
你可以使用 addParametersConverter() 添加额外的参数,而不会影响每个请求中默认添加的参数。
以下示例在 audience 为 registrationId 时,向请求中添加一个 keycloak 参数:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.addParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<String, String>();
if (clientRegistration.getRegistrationId().equals("keycloak")) {
parameters.set(OAuth2ParameterNames.AUDIENCE, "my-audience");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.addParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "keycloak") {
parameters[OAuth2ParameterNames.AUDIENCE] = "my-audience"
}
parameters
}你可以使用 setParametersConverter() 来覆盖默认参数。
以下示例在 client_id 为 registrationId 时,覆盖了 okta 参数:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersConverter(grantRequest -> {
ClientRegistration clientRegistration = grantRequest.getClientRegistration();
LinkedMultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
if (clientRegistration.getRegistrationId().equals("okta")) {
parameters.set(OAuth2ParameterNames.CLIENT_ID, "my-client");
}
return parameters;
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersConverter { grantRequest ->
val clientRegistration = grantRequest.getClientRegistration()
val parameters = LinkedMultiValueMap<String, String>()
if (clientRegistration.getRegistrationId() == "okta") {
parameters[OAuth2ParameterNames.CLIENT_ID] = "my-client"
}
parameters
}您可以使用 setParametersCustomizer() 完全自定义参数(包括省略默认参数)。
以下示例在请求中包含 client_id 参数时,省略了 client_assertion 参数:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setParametersCustomizer(parameters -> {
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID);
}
});val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setParametersCustomizer { parameters ->
if (parameters.containsKey(OAuth2ParameterNames.CLIENT_ASSERTION)) {
parameters.remove(OAuth2ParameterNames.CLIENT_ID)
}
}自定义访问Tokens响应
WebClientReactiveTokenExchangeTokenResponseClient 提供了自定义 OAuth 2.0 访问Tokens响应的钩子。
自定义响应参数
您可以自定义 Token Response 参数转换为OAuth2AccessTokenResponse的方式,通过调用setBodyExtractor()。
默认实现 OAuth2BodyExtractors.oauth2AccessTokenResponse() 会解析响应并相应处理错误。
以下示例为自定义Tokens响应参数转换为 OAuth2AccessTokenResponse 提供了一个起点:
-
Java
-
Kotlin
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
BodyExtractor<Mono<Map<String, Object>>, ReactiveHttpInputMessage> bodyExtractor =
BodyExtractors.toMono(new ParameterizedTypeReference<>() {});
accessTokenResponseClient.setBodyExtractor((inputMessage, context) ->
bodyExtractor.extract(inputMessage, context)
.map((parameters) -> parameters.withToken("custom-token")
// ...
.build()
)
);val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
val bodyExtractor = BodyExtractors.toMono(object : ParameterizedTypeReference<Map<String, Any>>() {})
accessTokenResponseClient.setBodyExtractor { inputMessage, context ->
bodyExtractor.extract(inputMessage, context).map { parameters ->
OAuth2AccessTokenResponse.withToken("custom-token")
// ...
.build()
}
}|
当提供自定义的 |
自定义WebClient
Alternatively, 如果您的需求更加复杂,您可以为WebClient提供一个预配置的setWebClient()以完全控制请求和/或响应,如以下示例所示:
WebClient-
Java
-
Kotlin
WebClient webClient = WebClient.builder()
// ...
.build();
WebClientReactiveTokenExchangeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveTokenExchangeTokenResponseClient();
accessTokenResponseClient.setWebClient(webClient);val webClient = WebClient.builder()
// ...
.build()
val accessTokenResponseClient = WebClientReactiveTokenExchangeTokenResponseClient()
accessTokenResponseClient.setWebClient(webClient)使用构建器进行自定义
是否自定义WebClientReactiveTokenExchangeTokenResponseClient或提供您自己的ReactiveOAuth2AccessTokenResponseClient的实现,您可以使用ReactiveOAuth2AuthorizedClientProviderBuilder对其进行配置(作为发布bean的一个替代方案),如下所示:
-
Java
-
Kotlin
// Customize
ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...
TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);// Customize
val tokenExchangeTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...
val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
// ...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)使用访问Tokens
给定以下用于 OAuth 2.0 客户端注册的 Spring Boot 属性:
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token... 和 OAuth2AuthorizedClientManager @Bean:
-
Java
-
Kotlin
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(tokenExchangeAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}您可以按如下方式获取 OAuth2AccessToken:
-
Java
-
Kotlin
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono<String> resource(JwtAuthenticationToken jwtAuthentication) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
// ...
.thenReturn("index");
}
}class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken): Mono<String> {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
// ...
.thenReturn("index")
}
}|
|
|
如果你需要从不同的来源解析主体Tokens(subject token),可以向 |
|
如果你需要解析一个参与者(actor)Tokens,可以向 |