# 授权客户

# 解决授权客户

@RegisteredOAuth2AuthorizedClient注释提供了将方法参数解析为OAuth2AuthorizedClient类型的参数值的功能。与使用ReactiveOAuth2AuthorizedClientManagerReactiveOAuth2AuthorizedClientService访问OAuth2AuthorizedClient相比,这是一种方便的替代方法。

爪哇

@Controller
public class OAuth2ClientController {

	@GetMapping("/")
	public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
		return Mono.just(authorizedClient.getAccessToken())
				...
				.thenReturn("index");
	}
}

Kotlin

@Controller
class OAuth2ClientController {
    @GetMapping("/")
    fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
        return Mono.just(authorizedClient.accessToken)
                ...
                .thenReturn("index")
    }
}

@RegisteredOAuth2AuthorizedClient注释由OAuth2AuthorizedClientArgumentResolver处理,它直接使用reactiveoauth2authorizedclientmanager ,因此继承了它的功能。

# 用于反应性环境的 WebClient 集成

OAuth2.0 客户端支持使用ExchangeFilterFunctionWebClient集成。

ServerOAuth2AuthorizedClientExchangeFilterFunction提供了一种简单的机制,通过使用OAuth2AuthorizedClient请求受保护的资源,并将相关的OAuth2AccessToken作为承载令牌。它直接使用reactiveoauth2authorizedclientmanager ,因此继承了以下功能:

  • 如果客户端尚未获得授权,则将请求OAuth2AccessToken

    • authorization_code-触发授权请求重定向以初始化流

    • client_credentials-访问令牌是直接从令牌端点获得的

    • password-访问令牌是直接从令牌端点获得的

  • 如果OAuth2AccessToken过期,如果ReactiveOAuth2AuthorizedClientProvider可用于执行授权,则将刷新(或更新)该权限

下面的代码展示了如何使用 OAuth2.0 客户端支持配置WebClient的示例:

爪哇

@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	return WebClient.builder()
			.filter(oauth2Client)
			.build();
}

Kotlin

@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
}

# 提供授权客户

通过解析ClientRequest.attributes()(请求属性)中的OAuth2AuthorizedClientServerOAuth2AuthorizedClientExchangeFilterFunction确定要使用的客户机(用于请求)。

下面的代码展示了如何将OAuth2AuthorizedClient设置为请求属性:

爪哇

@GetMapping("/")
public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
	String resourceUri = ...

	return webClient
			.get()
			.uri(resourceUri)
			.attributes(oauth2AuthorizedClient(authorizedClient))   (1)
			.retrieve()
			.bodyToMono(String.class)
			...
			.thenReturn("index");
}

Kotlin

@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): Mono<String> {
    val resourceUri: String = ...

    return webClient
            .get()
            .uri(resourceUri)
            .attributes(oauth2AuthorizedClient(authorizedClient)) (1)
            .retrieve()
            .bodyToMono<String>()
            ...
            .thenReturn("index")
}
1 oauth2AuthorizedClient()static中的一个static方法。

下面的代码展示了如何将ClientRegistration.getRegistrationId()设置为请求属性:

爪哇

@GetMapping("/")
public Mono<String> index() {
	String resourceUri = ...

	return webClient
			.get()
			.uri(resourceUri)
			.attributes(clientRegistrationId("okta"))   (1)
			.retrieve()
			.bodyToMono(String.class)
			...
			.thenReturn("index");
}

Kotlin

@GetMapping("/")
fun index(): Mono<String> {
    val resourceUri: String = ...

    return webClient
            .get()
            .uri(resourceUri)
            .attributes(clientRegistrationId("okta"))  (1)
            .retrieve()
            .bodyToMono<String>()
            ...
            .thenReturn("index")
}
1 clientRegistrationId()static中的一个static方法。

# 对授权客户违约

如果OAuth2AuthorizedClientClientRegistration.getRegistrationId()都不作为请求属性提供,则ServerOAuth2AuthorizedClientExchangeFilterFunction可以根据其配置来确定要使用的默认值客户端。

如果setDefaultOAuth2AuthorizedClient(true)被配置并且用户已经使用ServerHttpSecurity.oauth2Login()进行了身份验证,则使用与当前OAuth2AccessToken关联的OAuth2AccessToken

以下代码显示了具体的配置:

爪哇

@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultOAuth2AuthorizedClient(true);
	return WebClient.builder()
			.filter(oauth2Client)
			.build();
}

Kotlin

@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultOAuth2AuthorizedClient(true)
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
}
由于所有 HTTP 请求都将接收访问令牌,因此建议对此功能保持谨慎。

或者,如果setDefaultClientRegistrationId("okta")被配置为有效的ClientRegistration,则使用与OAuth2AuthorizedClient关联的OAuth2AccessToken

以下代码显示了具体的配置:

爪哇

@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultClientRegistrationId("okta");
	return WebClient.builder()
			.filter(oauth2Client)
			.build();
}

Kotlin

@Bean
fun webClient(authorizedClientManager: ReactiveOAuth2AuthorizedClientManager): WebClient {
    val oauth2Client = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultClientRegistrationId("okta")
    return WebClient.builder()
            .filter(oauth2Client)
            .build()
}
由于所有 HTTP 请求都将接收访问令牌,因此建议对此功能保持谨慎。

OAuth2 客户端身份验证OAuth2 资源服务器