# 授权赠款支助
## 授权代码
| |有关[授权代码](https://tools.ietf.org/html/rfc6749#section-1.3.1)授权的更多详细信息,请参阅 OAuth2.0 授权框架。|
|---|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 获得授权
| |请参阅[授权请求/回应](https://tools.ietf.org/html/rfc6749#section-4.1.1)协议流以获得授权代码授权。|
|---|-------------------------------------------------------------------------------------------------------------------------------------------------------|
### 发起授权请求
`OAuth2AuthorizationRequestRedirectWebFilter`使用`ServerOAuth2AuthorizationRequestResolver`解析`OAuth2AuthorizationRequest`,并通过将最终用户的用户代理重定向到授权服务器的授权端点来启动授权代码授予流。
`ServerOAuth2AuthorizationRequestResolver`的主要作用是从提供的 Web 请求中解析`OAuth2AuthorizationRequest`。默认实现`DefaultServerOAuth2AuthorizationRequestResolver`在(默认)路径`/oauth2/authorization/{registrationId}`上匹配,提取`registrationId`并使用它为关联的`OAuth2AuthorizationRequest`构建`OAuth2AuthorizationRequest`。
给出了 OAuth2.0 客户端注册的以下 Spring Boot2.x 属性:
```
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
scope: read, write
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token
```
具有基本路径`/oauth2/authorization/okta`的请求将启动由`OAuth2AuthorizationRequestRedirectWebFilter`重定向的授权请求,并最终启动授权代码授予流。
| |`AuthorizationCodeReactiveOAuth2AuthorizedClientProvider`是用于授权代码授予的`ReactiveOAuth2AuthorizedClientProvider`的实现,
还通过`OAuth2AuthorizationRequestRedirectWebFilter`发起重定向的授权请求。|
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
如果 OAuth2.0 客户端是[公共客户](https://tools.ietf.org/html/rfc6749#section-2.1),则按照以下方式配置 OAuth2.0 客户端注册:
```
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-authentication-method: none
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/authorized/okta"
...
```
使用[代码交换的证明密钥](https://tools.ietf.org/html/rfc7636)支持公共客户端。如果客户机运行在不受信任的环境中(例如,本地应用程序或基于 Web 浏览器的应用程序),因此不能维护其凭据的机密性,则当以下条件成立时,将自动使用 PKCE:
1. `client-secret`省略(或为空)
2. `client-authentication-method`设置为“无”(`ClientAuthenticationMethod.NONE`)
`DefaultServerOAuth2AuthorizationRequestResolver`还支持`URI`使用`UriComponentsBuilder`的`redirect-uri`模板变量。
以下配置使用了所有受支持的`URI`模板变量:
```
spring:
security:
oauth2:
client:
registration:
okta:
...
redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
...
```
| |`{baseUrl}`解析为`{baseScheme}://{baseHost}{basePort}{basePath}`|
|---|-----------------------------------------------------------------------|
当 OAuth2.0 客户端运行在[代理服务器](../../../features/exploits/http.html#http-proxy-server)之后时,使用`redirect-uri`模板变量配置`URI`模板变量特别有用。这确保了在展开`redirect-uri`时使用`X-Forwarded-*`头。
### 自定义授权请求
`ServerOAuth2AuthorizationRequestResolver`可以实现的主要用例之一是,能够使用 OAuth2.0 授权框架中定义的标准参数之上的附加参数来定制授权请求。
例如,OpenID Connect 为[授权代码流](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)定义了额外的 OAuth2.0 请求参数,它是从[OAuth2.0 授权框架](https://tools.ietf.org/html/rfc6749#section-4.1.1)中定义的标准参数扩展而来的。其中一个扩展参数是`prompt`参数。
| |可选的。以空格分隔、区分大小写的 ASCII 字符串值列表,该列表指定授权服务器是否提示最终用户进行重新身份验证和同意。定义的值是:none、login、consent、select\_account|
|---|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
下面的示例展示了如何使用`DefaultServerOAuth2AuthorizationRequestResolver`配置`Consumer`,该配置通过包括请求参数`oauth2Login()`来定制`oauth2Login()`的授权请求。
爪哇
```
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {
@Autowired
private ReactiveClientRegistrationRepository clientRegistrationRepository;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange(authorize -> authorize
.anyExchange().authenticated()
)
.oauth2Login(oauth2 -> oauth2
.authorizationRequestResolver(
authorizationRequestResolver(this.clientRegistrationRepository)
)
);
return http.build();
}
private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
ReactiveClientRegistrationRepository clientRegistrationRepository) {
DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
new DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository);
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer());
return authorizationRequestResolver;
}
private Consumer authorizationRequestCustomizer() {
return customizer -> customizer
.additionalParameters(params -> params.put("prompt", "consent"));
}
}
```
Kotlin
```
@EnableWebFluxSecurity
class SecurityConfig {
@Autowired
private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
authorizeExchange {
authorize(anyExchange, authenticated)
}
oauth2Login {
authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
}
}
}
private fun authorizationRequestResolver(
clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
clientRegistrationRepository)
authorizationRequestResolver.setAuthorizationRequestCustomizer(
authorizationRequestCustomizer())
return authorizationRequestResolver
}
private fun authorizationRequestCustomizer(): Consumer {
return Consumer { customizer ->
customizer
.additionalParameters { params -> params["prompt"] = "consent" }
}
}
}
```
对于简单的用例,如果附加的请求参数对于特定的提供者总是相同的,那么可以直接在`authorization-uri`属性中添加它。
例如,如果请求参数`prompt`的值对于提供程序`okta`总是`consent`,那么只需配置如下:
```
spring:
security:
oauth2:
client:
provider:
okta:
authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent
```
前面的示例展示了在标准参数之上添加一个自定义参数的常见用例。或者,如果你的需求更高级,那么你可以通过简单地覆盖`OAuth2AuthorizationRequest.authorizationRequestUri`属性来完全控制构建授权请求 URI。
| |`OAuth2AuthorizationRequest.Builder.build()`构造`OAuth2AuthorizationRequest.authorizationRequestUri`,它表示授权请求 URI,包括使用`application/x-www-form-urlencoded`格式的所有查询参数。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
下面的示例显示了与前面的示例不同的`authorizationRequestCustomizer()`,并覆盖了`OAuth2AuthorizationRequest.authorizationRequestUri`属性。
爪哇
```
private Consumer authorizationRequestCustomizer() {
return customizer -> customizer
.authorizationRequestUri(uriBuilder -> uriBuilder
.queryParam("prompt", "consent").build());
}
```
Kotlin
```
private fun authorizationRequestCustomizer(): Consumer {
return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
customizer
.authorizationRequestUri { uriBuilder: UriBuilder ->
uriBuilder
.queryParam("prompt", "consent").build()
}
}
}
```
### 存储授权请求
从发起授权请求到接收授权响应(回调),`ServerAuthorizationRequestRepository`负责`OAuth2AuthorizationRequest`的持久性。
| |`OAuth2AuthorizationRequest`用于关联和验证授权响应。|
|---|----------------------------------------------------------------------------------------------|
`ServerAuthorizationRequestRepository`的默认实现是`WebSessionOAuth2ServerAuthorizationRequestRepository`,它将`OAuth2AuthorizationRequest`存储在`WebSession`中。
如果你有`ServerAuthorizationRequestRepository`的自定义实现,则可以按照以下示例对其进行配置:
例 1。ServerAuthorizationRequestRepository 配置
爪哇
```
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authorizationRequestRepository(this.authorizationRequestRepository())
...
);
return http.build();
}
}
```
Kotlin
```
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
oauth2Client {
authorizationRequestRepository = authorizationRequestRepository()
}
}
}
}
```
### 请求访问令牌
| |请参阅[访问令牌请求/响应](https://tools.ietf.org/html/rfc6749#section-4.1.3)协议流以获得授权代码授权。|
|---|------------------------------------------------------------------------------------------------------------------------------------------------------|
对于授权代码授予,`ReactiveOAuth2AccessTokenResponseClient`的默认实现是`WebClientReactiveAuthorizationCodeTokenResponseClient`,它使用`WebClient`在授权服务器的令牌端点将授权代码交换为访问令牌。
`WebClientReactiveAuthorizationCodeTokenResponseClient`非常灵活,因为它允许你定制令牌请求的预处理和/或令牌响应的后处理。
### 自定义访问令牌请求
如果需要定制令牌请求的预处理,则可以提供带有自定义`WebClientReactiveAuthorizationCodeTokenResponseClient.setParametersConverter()`的`Converter>`。默认实现构建一个`MultiValueMap`,该实现仅包含用于构造请求的标准[OAuth2.0 访问令牌请求](https://tools.ietf.org/html/rfc6749#section-4.1.3)的`grant_type`参数。授权代码授权所需的其他参数由`WebClientReactiveAuthorizationCodeTokenResponseClient`直接添加到请求主体中。但是,提供一个自定义`Converter`,将允许你扩展标准令牌请求并添加自定义参数。
| |如果你只喜欢添加额外的参数,那么可以使用自定义的`Converter>`为`WebClientReactiveAuthorizationCodeTokenResponseClient.addParametersConverter()`提供`Converter>`,它构造一个聚合`Converter`。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| |自定义`Converter`必须返回 OAuth2.0 访问令牌请求的有效参数,该请求被预期的 OAuth2.0 提供程序理解。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------|
### 自定义访问令牌响应
另一方面,如果需要自定义令牌响应的后处理,则需要为`WebClientReactiveAuthorizationCodeTokenResponseClient.setBodyExtractor()`提供自定义配置的`BodyExtractor, ReactiveHttpInputMessage>`,该配置用于将 OAuth2.0 访问令牌响应转换为`OAuth2AccessTokenResponse`。由`OAuth2BodyExtractors.oauth2AccessTokenResponse()`提供的默认实现解析响应并相应地处理错误。
### 自定义`WebClient`
或者,如果你的需求更高级,那么你可以通过简单地提供`WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient()`和自定义配置的`WebClient`来完全控制请求/响应。
无论你是自定义`WebClientReactiveAuthorizationCodeTokenResponseClient`还是提供你自己的`ReactiveOAuth2AccessTokenResponseClient`实现,你都需要对其进行配置,如以下示例所示:
例 2。访问令牌响应配置
爪哇
```
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.oauth2Client(oauth2 -> oauth2
.authenticationManager(this.authorizationCodeAuthenticationManager())
...
);
return http.build();
}
private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
new WebClientReactiveAuthorizationCodeTokenResponseClient();
...
return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
}
}
```
Kotlin
```
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {
@Bean
fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
oauth2Client {
authenticationManager = authorizationCodeAuthenticationManager()
}
}
}
private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
...
return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
}
}
```
## 刷新令牌
| |有关[刷新令牌](https://tools.ietf.org/html/rfc6749#section-1.5)的更多详细信息,请参阅 OAuth2.0 授权框架。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------|
### 刷新访问令牌
| |请参阅[访问令牌请求/响应](https://tools.ietf.org/html/rfc6749#section-6)协议流以获取刷新令牌授权。|
|---|---------------------------------------------------------------------------------------------------------------------------------------------|
用于刷新令牌授权的`ReactiveOAuth2AccessTokenResponseClient`的默认实现是`WebClientReactiveRefreshTokenTokenResponseClient`,当在授权服务器的令牌端点刷新访问令牌时,它使用`WebClient`。
`WebClientReactiveRefreshTokenTokenResponseClient`非常灵活,因为它允许你定制令牌请求的预处理和/或令牌响应的后处理。
### 自定义访问令牌请求
如果需要定制令牌请求的预处理,则可以提供带有自定义`WebClientReactiveRefreshTokenTokenResponseClient.setParametersConverter()`的`Converter>`。默认实现构建一个`MultiValueMap`,其中只包含用于构造请求的标准[OAuth2.0 访问令牌请求](https://tools.ietf.org/html/rfc6749#section-6)的`grant_type`参数。刷新令牌授权所需的其他参数由`WebClientReactiveRefreshTokenTokenResponseClient`直接添加到请求主体中。但是,提供一个自定义`Converter`,将允许你扩展标准令牌请求并添加自定义参数。
| |如果你只喜欢添加额外的参数,那么你可以使用自定义的`WebClientReactiveRefreshTokenTokenResponseClient.addParametersConverter()`提供`Converter>`,它构造一个聚合`Converter`。|
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| |自定义`Converter`必须返回 OAuth2.0 访问令牌请求的有效参数,该请求被预期的 OAuth2.0 提供程序理解。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------|
### 自定义访问令牌响应
另一方面,如果需要自定义令牌响应的后处理,则需要为`WebClientReactiveRefreshTokenTokenResponseClient.setBodyExtractor()`提供自定义配置的`BodyExtractor, ReactiveHttpInputMessage>`,该配置用于将 OAuth2.0 访问令牌响应转换为`OAuth2AccessTokenResponse`。`OAuth2BodyExtractors.oauth2AccessTokenResponse()`提供的默认实现解析响应并相应地处理错误。
### 自定义`WebClient`
或者,如果你的需求更高级,那么你可以通过简单地提供`WebClientReactiveRefreshTokenTokenResponseClient.setWebClient()`和自定义配置的`WebClient`来完全控制请求/响应。
无论你是自定义`WebClientReactiveRefreshTokenTokenResponseClient`还是提供你自己的`ReactiveOAuth2AccessTokenResponseClient`实现,你都需要对其进行配置,如以下示例所示:
例 3。访问令牌响应配置
爪哇
```
// Customize
ReactiveOAuth2AccessTokenResponseClient refreshTokenTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken(configurer -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
```
Kotlin
```
// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.authorizationCode()
.refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
```
| |`ReactiveOAuth2AuthorizedClientProviderBuilder.builder().refreshToken()`配置`RefreshTokenReactiveOAuth2AuthorizedClientProvider`,
,这是用于刷新令牌授权的`ReactiveOAuth2AuthorizedClientProvider`的实现。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
`OAuth2RefreshToken`可选地在用于`authorization_code`和`password`授予类型的访问令牌响应中返回。如果`OAuth2AuthorizedClient.getRefreshToken()`可用,而`OAuth2AuthorizedClient.getAccessToken()`过期,则`RefreshTokenReactiveOAuth2AuthorizedClientProvider`将自动刷新。
## 客户凭据
| |有关[客户凭据](https://tools.ietf.org/html/rfc6749#section-1.3.4)授权的更多详细信息,请参阅 OAuth2.0 授权框架。|
|---|---------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 请求访问令牌
| |请参阅[访问令牌请求/响应](https://tools.ietf.org/html/rfc6749#section-4.4.2)协议流以获取客户端凭据授权。|
|---|------------------------------------------------------------------------------------------------------------------------------------------------------|
对于客户端凭据授予,`ReactiveOAuth2AccessTokenResponseClient`的默认实现是`WebClientReactiveClientCredentialsTokenResponseClient`,当在授权服务器的令牌端点请求访问令牌时,它使用`WebClient`。
`WebClientReactiveClientCredentialsTokenResponseClient`非常灵活,因为它允许你定制令牌请求的预处理和/或令牌响应的后处理。
### 自定义访问令牌请求
如果需要定制令牌请求的预处理,则可以提供带有自定义`WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter()`的`Converter>`。默认实现构建一个`MultiValueMap`,该实现仅包含用于构造请求的标准[OAuth2.0 访问令牌请求](https://tools.ietf.org/html/rfc6749#section-4.4.2)的`grant_type`参数。由`WebClientReactiveClientCredentialsTokenResponseClient`直接将客户机凭据授权所需的其他参数添加到请求主体中。但是,提供一个自定义`Converter`,将允许你扩展标准令牌请求并添加自定义参数。
| |如果你只喜欢添加额外的参数,那么可以使用自定义的`Converter>`为`WebClientReactiveClientCredentialsTokenResponseClient.addParametersConverter()`提供`Converter>`,它构造一个聚合`Converter`。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| |自定义`Converter`必须返回 OAuth2.0 访问令牌请求的有效参数,该请求被预期的 OAuth2.0 提供程序理解。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------|
### 自定义访问令牌响应
另一方面,如果需要自定义令牌响应的后处理,则需要为`WebClientReactiveClientCredentialsTokenResponseClient.setBodyExtractor()`提供自定义配置的`BodyExtractor, ReactiveHttpInputMessage>`,该配置用于将 OAuth2.0 访问令牌响应转换为`OAuth2AccessTokenResponse`。由`OAuth2BodyExtractors.oauth2AccessTokenResponse()`提供的默认实现解析响应并相应地处理错误。
### 自定义`WebClient`
或者,如果你的需求更高级,你可以通过简单地提供`WebClientReactiveClientCredentialsTokenResponseClient.setWebClient()`和自定义配置的`WebClient`来完全控制请求/响应。
无论你是自定义`WebClientReactiveClientCredentialsTokenResponseClient`还是提供你自己的`ReactiveOAuth2AccessTokenResponseClient`实现,你都需要对其进行配置,如以下示例所示:
爪哇
```
// Customize
ReactiveOAuth2AccessTokenResponseClient clientCredentialsTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
```
Kotlin
```
// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient = ...
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
```
| |`ReactiveOAuth2AuthorizedClientProviderBuilder.builder().clientCredentials()`配置`ClientCredentialsReactiveOAuth2AuthorizedClientProvider`,
,这是用于客户端凭据授权的`ReactiveOAuth2AuthorizedClientProvider`的实现。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 使用访问令牌
给出了用于 OAuth2.0 客户端注册的以下 Boot2.x 属性:
```
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: client_credentials
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token
```
…和`ReactiveOAuth2AuthorizedClientManager``@Bean`:
爪哇
```
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
```
Kotlin
```
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}
```
你可以按以下方式获得`OAuth2AccessToken`:
爪哇
```
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
...
.thenReturn("index");
}
}
```
Kotlin
```
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
...
.thenReturn("index")
}
}
```
| |`ServerWebExchange`是一个可选属性。
如果不提供,它将通过[反应堆的背景](https://projectreactor.io/docs/core/release/reference/#context)键从`ServerWebExchange.class`获得。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
## 资源所有者密码凭据
| |有关[资源所有者密码凭据](https://tools.ietf.org/html/rfc6749#section-1.3.3)授权的更多详细信息,请参阅 OAuth2.0 授权框架。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 请求访问令牌
| |请参阅[访问令牌请求/响应](https://tools.ietf.org/html/rfc6749#section-4.3.2)协议流以获取资源所有者密码凭据授权。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
对于资源所有者密码凭据授予,`ReactiveOAuth2AccessTokenResponseClient`的默认实现是`WebClientReactivePasswordTokenResponseClient`,当在授权服务器的令牌端点请求访问令牌时,它使用`WebClient`。
`WebClientReactivePasswordTokenResponseClient`非常灵活,因为它允许你定制令牌请求的预处理和/或令牌响应的后处理。
### 自定义访问令牌请求
如果需要对令牌请求的预处理进行自定义,则可以提供带有自定义`WebClientReactivePasswordTokenResponseClient.setParametersConverter()`的`Converter>`。默认的实现构建一个`MultiValueMap`,其中只包含用于构造请求的标准[OAuth2.0 访问令牌请求](https://tools.ietf.org/html/rfc6749#section-4.4.2)的`grant_type`参数。通过`WebClientReactivePasswordTokenResponseClient`将资源所有者密码凭据授予所需的其他参数直接添加到请求的主体中。但是,提供一个自定义`Converter`,将允许你扩展标准令牌请求并添加自定义参数。
| |如果你只喜欢添加额外的参数,那么你可以使用自定义的`WebClientReactivePasswordTokenResponseClient.addParametersConverter()`提供`Converter>`,它构造一个聚合`Converter`。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| |自定义`Converter`必须返回 OAuth2.0 访问令牌请求的有效参数,该请求被预期的 OAuth2.0 提供程序理解。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------|
### 自定义访问令牌响应
另一方面,如果需要自定义令牌响应的后处理,则需要为`WebClientReactivePasswordTokenResponseClient.setBodyExtractor()`提供自定义配置的`BodyExtractor, ReactiveHttpInputMessage>`,该配置用于将 OAuth2.0 访问令牌响应转换为`OAuth2AccessTokenResponse`。由`OAuth2BodyExtractors.oauth2AccessTokenResponse()`提供的默认实现解析响应并相应地处理错误。
### 自定义`WebClient`
或者,如果你的需求更高级,你可以通过简单地提供`WebClientReactivePasswordTokenResponseClient.setWebClient()`和自定义配置的`WebClient`来完全控制请求/响应。
无论你是自定义`WebClientReactivePasswordTokenResponseClient`还是提供你自己的`ReactiveOAuth2AccessTokenResponseClient`实现,你都需要对其进行配置,如以下示例所示:
爪哇
```
// Customize
ReactiveOAuth2AccessTokenResponseClient passwordTokenResponseClient = ...
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password(configurer -> configurer.accessTokenResponseClient(passwordTokenResponseClient))
.refreshToken()
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
```
Kotlin
```
val passwordTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient = ...
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password { it.accessTokenResponseClient(passwordTokenResponseClient) }
.refreshToken()
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
```
| |`ReactiveOAuth2AuthorizedClientProviderBuilder.builder().password()`配置`PasswordReactiveOAuth2AuthorizedClientProvider`,
,这是用于资源所有者密码凭据授予的`ReactiveOAuth2AuthorizedClientProvider`的实现。|
|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 使用访问令牌
给出了用于 OAuth2.0 客户端注册的以下 Boot2.x 属性:
```
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: password
scope: read, write
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token
```
…和`ReactiveOAuth2AuthorizedClientManager``@Bean`:
爪哇
```
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());
return authorizedClientManager;
}
private Function>> contextAttributesMapper() {
return authorizeRequest -> {
Map contextAttributes = Collections.emptyMap();
ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
ServerHttpRequest request = exchange.getRequest();
String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = new HashMap<>();
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
}
return Mono.just(contextAttributes);
};
}
```
Kotlin
```
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.refreshToken()
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
return authorizedClientManager
}
private fun contextAttributesMapper(): Function>> {
return Function { authorizeRequest ->
var contextAttributes: MutableMap = mutableMapOf()
val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
val request: ServerHttpRequest = exchange.request
val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
contextAttributes = hashMapOf()
// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
}
Mono.just(contextAttributes)
}
}
```
你可以按以下方式获得`OAuth2AccessToken`:
爪哇
```
@Controller
public class OAuth2ClientController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/")
public Mono index(Authentication authentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
...
.thenReturn("index");
}
}
```
Kotlin
```
@Controller
class OAuth2ClientController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/")
fun index(authentication: Authentication, exchange: ServerWebExchange): Mono {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(authentication)
.attribute(ServerWebExchange::class.java.name, exchange)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
...
.thenReturn("index")
}
}
```
| |`ServerWebExchange`是一个可选属性。
如果不提供,它将通过[反应堆的背景](https://projectreactor.io/docs/core/release/reference/#context)键从`ServerWebExchange.class`获得。|
|---|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
## JWT 持有人
| |有关[JWT Bearer](https://datatracker.ietf.org/doc/html/rfc7523)授权的更多详细信息,请参考 JSON Web Token 配置文件的 OAuth2.0 客户端身份验证和授权授权。|
|---|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
### 请求访问令牌
| |请参阅[访问令牌请求/响应](https://datatracker.ietf.org/doc/html/rfc7523#section-2.1)协议流以获取 JWT 承载授权。|
|---|------------------------------------------------------------------------------------------------------------------------------------------------------|
对于 JWT 承载授权,`ReactiveOAuth2AccessTokenResponseClient`的默认实现是`WebClientReactiveJwtBearerTokenResponseClient`,当在授权服务器的令牌端点请求访问令牌时,它使用`WebClient`。
`WebClientReactiveJwtBearerTokenResponseClient`非常灵活,因为它允许你定制令牌请求的预处理和/或令牌响应的后处理。
### 自定义访问令牌请求
如果需要对令牌请求的预处理进行自定义,则可以提供带有自定义`WebClientReactiveJwtBearerTokenResponseClient.setParametersConverter()`的`Converter>`。默认的实现构建一个`MultiValueMap`,其中只包含用于构造请求的标准[OAuth2.0 访问令牌请求](https://tools.ietf.org/html/rfc6749#section-4.4.2)的`grant_type`参数。JWT 承载授权所需的其他参数由`WebClientReactiveJwtBearerTokenResponseClient`直接添加到请求的主体中。但是,提供一个自定义`Converter`,将允许你扩展标准令牌请求并添加自定义参数。
| |如果你只喜欢添加额外的参数,那么可以使用自定义的`Converter>`为`WebClientReactiveJwtBearerTokenResponseClient.addParametersConverter()`提供`Converter>`,它构造一个聚合`Converter`。|
|---|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| |自定义`Converter`必须返回 OAuth2.0 访问令牌请求的有效参数,该请求被预期的 OAuth2.0 提供程序理解。|
|---|-----------------------------------------------------------------------------------------------------------------------------------------------|
### 自定义访问令牌响应
另一方面,如果需要自定义令牌响应的后处理,则需要为`WebClientReactiveJwtBearerTokenResponseClient.setBodyExtractor()`提供自定义配置的`BodyExtractor, ReactiveHttpInputMessage>`,该配置用于将 OAuth2.0 访问令牌响应转换为`OAuth2AccessTokenResponse`。由`OAuth2BodyExtractors.oauth2AccessTokenResponse()`提供的默认实现解析响应并相应地处理错误。
### 自定义`WebClient`
或者,如果你的需求更高级,你可以通过简单地提供`WebClientReactiveJwtBearerTokenResponseClient.setWebClient()`和自定义配置的`WebClient`来完全控制请求/响应。
无论你是自定义`WebClientReactiveJwtBearerTokenResponseClient`还是提供你自己的`ReactiveOAuth2AccessTokenResponseClient`实现,你都需要对其进行配置,如以下示例所示:
爪哇
```
// Customize
ReactiveOAuth2AccessTokenResponseClient jwtBearerTokenResponseClient = ...
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
```
Kotlin
```
// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient = ...
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
...
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
```
### 使用访问令牌
给出了用于 OAuth2.0 客户端注册的以下 Spring Boot2.x 属性:
```
spring:
security:
oauth2:
client:
registration:
okta:
client-id: okta-client-id
client-secret: okta-client-secret
authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
scope: read
provider:
okta:
token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token
```
…和`OAuth2AuthorizedClientManager``@Bean`:
爪哇
```
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
new JwtBearerReactiveOAuth2AuthorizedClientProvider();
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
```
Kotlin
```
@Bean
fun authorizedClientManager(
clientRegistrationRepository: ReactiveClientRegistrationRepository,
authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.provider(jwtBearerAuthorizedClientProvider)
.build()
val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository)
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
return authorizedClientManager
}
```
你可以按以下方式获得`OAuth2AccessToken`:
爪哇
```
@RestController
public class OAuth2ResourceServerController {
@Autowired
private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
@GetMapping("/resource")
public Mono resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
...
}
}
```
Kotlin
```
class OAuth2ResourceServerController {
@Autowired
private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager
@GetMapping("/resource")
fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono {
val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
.principal(jwtAuthentication)
.build()
return authorizedClientManager.authorize(authorizeRequest)
.map { it.accessToken }
...
}
}
```
[核心接口和类](core.html)[OAuth2 客户端身份验证](client-authentication.html)