# 授权客户功能 ## 解决授权客户 `@RegisteredOAuth2AuthorizedClient`注释提供了将方法参数解析为`OAuth2AuthorizedClient`类型的参数值的功能。与使用`OAuth2AuthorizedClientManager`或`OAuth2AuthorizedClientService`访问`OAuth2AuthorizedClient`相比,这是一种方便的替代方法。 Java ``` @Controller public class OAuth2ClientController { @GetMapping("/") public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) { OAuth2AccessToken accessToken = authorizedClient.getAccessToken(); ... return "index"; } } ``` Kotlin ``` @Controller class OAuth2ClientController { @GetMapping("/") fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String { val accessToken = authorizedClient.accessToken ... return "index" } } ``` `@RegisteredOAuth2AuthorizedClient`注释由`OAuth2AuthorizedClientArgumentResolver`处理,它直接使用[`OAuth2AuthorizedClientManager`](core.html#oAuth2client-authorized-manager-provider),因此继承了它的功能。 ## 用于 Servlet 环境的WebClient集成 OAuth2.0客户端支持使用`ExchangeFilterFunction`与`WebClient`集成。 `ServletOAuth2AuthorizedClientExchangeFilterFunction`提供了一种简单的机制,通过使用`OAuth2AuthorizedClient`请求受保护的资源,并将相关的`OAuth2AccessToken`作为承载令牌。它直接使用[`OAuth2AuthorizedClientManager`](core.html#OAuth2client-authorized-manager-provider),因此继承了以下功能: * 如果客户端尚未获得授权,则将请求`OAuth2AccessToken`。 * `authorization_code`-触发授权请求重定向以初始化流 * `client_credentials`-访问令牌是直接从令牌端点获得的 * `password`-访问令牌是直接从令牌端点获得的 * 如果`OAuth2AccessToken`过期,如果`OAuth2AuthorizedClientProvider`可用于执行授权,则将刷新(或更新)该权限 下面的代码展示了如何使用OAuth2.0客户端支持配置`WebClient`的示例: Java ``` @Bean WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build(); } ``` Kotlin ``` @Bean fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient { val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager) return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build() } ``` ### 提供授权客户 通过解析`ClientRequest.attributes()`(请求属性)中的`OAuth2AuthorizedClient`,`ServletOAuth2AuthorizedClientExchangeFilterFunction`确定要使用的客户机(用于请求)。 下面的代码展示了如何将`OAuth2AuthorizedClient`设置为请求属性: Java ``` @GetMapping("/") public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) { String resourceUri = ... String body = webClient .get() .uri(resourceUri) .attributes(oauth2AuthorizedClient(authorizedClient)) (1) .retrieve() .bodyToMono(String.class) .block(); ... return "index"; } ``` Kotlin ``` @GetMapping("/") fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String { val resourceUri: String = ... val body: String = webClient .get() .uri(resourceUri) .attributes(oauth2AuthorizedClient(authorizedClient)) (1) .retrieve() .bodyToMono() .block() ... return "index" } ``` |**1**|`oauth2AuthorizedClient()`是`static`中的一个`static`方法。| |-----|---------------------------------------------------------------------------------------------------------| 下面的代码展示了如何将`ClientRegistration.getRegistrationId()`设置为请求属性: Java ``` @GetMapping("/") public String index() { String resourceUri = ... String body = webClient .get() .uri(resourceUri) .attributes(clientRegistrationId("okta")) (1) .retrieve() .bodyToMono(String.class) .block(); ... return "index"; } ``` Kotlin ``` @GetMapping("/") fun index(): String { val resourceUri: String = ... val body: String = webClient .get() .uri(resourceUri) .attributes(clientRegistrationId("okta")) (1) .retrieve() .bodyToMono() .block() ... return "index" } ``` |**1**|`clientRegistrationId()`是`static`中的一个`static`方法。| |-----|-------------------------------------------------------------------------------------------------------| ### 对授权客户违约 如果`OAuth2AuthorizedClient`或`ClientRegistration.getRegistrationId()`都不作为请求属性提供,则`ServletOAuth2AuthorizedClientExchangeFilterFunction`可以根据其配置来确定要使用的*默认值*客户端。 如果`setDefaultOAuth2AuthorizedClient(true)`被配置并且用户已经使用`HttpSecurity.oauth2Login()`进行了身份验证,则使用与当前`OAuth2AccessToken`关联的`OAuth2AccessToken`。 以下代码显示了具体的配置: Java ``` @Bean WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); oauth2Client.setDefaultOAuth2AuthorizedClient(true); return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build(); } ``` Kotlin ``` @Bean fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient { val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager) oauth2Client.setDefaultOAuth2AuthorizedClient(true) return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build() } ``` | |由于所有HTTP请求都将接收访问令牌,因此建议对此功能保持谨慎。| |---|---------------------------------------------------------------------------------------------------------| 或者,如果`setDefaultClientRegistrationId("okta")`被配置为有效的`ClientRegistration`,则使用与`OAuth2AuthorizedClient`关联的`OAuth2AccessToken`。 以下代码显示了具体的配置: Java ``` @Bean WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); oauth2Client.setDefaultClientRegistrationId("okta"); return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build(); } ``` Kotlin ``` @Bean fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient { val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager) oauth2Client.setDefaultClientRegistrationId("okta") return WebClient.builder() .apply(oauth2Client.oauth2Configuration()) .build() } ``` | |由于所有HTTP请求都将接收访问令牌,因此建议对此功能保持谨慎。| |---|---------------------------------------------------------------------------------------------------------| [OAuth2客户端身份验证](client-authentication.html)[OAuth2资源服务器](../resource-server/index.html)