授權許可支援

授權碼

關於 授權碼 許可的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

取得授權

關於授權碼許可的 授權請求/回應 協定流程,請參閱相關說明。

初始化授權請求

OAuth2AuthorizationRequestRedirectWebFilter 使用 ServerOAuth2AuthorizationRequestResolver 來解析 OAuth2AuthorizationRequest,並透過將終端使用者的使用者代理重新導向至授權伺服器的授權端點,以啟動授權碼許可流程。

ServerOAuth2AuthorizationRequestResolver 的主要職責是從提供的網路請求中解析 OAuth2AuthorizationRequest。預設實作 DefaultServerOAuth2AuthorizationRequestResolver 會比對(預設)路徑 /oauth2/authorization/{registrationId},提取 registrationId,並使用它為相關聯的 ClientRegistration 建構 OAuth2AuthorizationRequest

假設 OAuth 2.0 用戶端註冊的 Spring Boot 屬性如下

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/authorized/okta"
            scope: read, write
        provider:
          okta:
            authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

具有基本路徑 /oauth2/authorization/okta 的請求將會由 OAuth2AuthorizationRequestRedirectWebFilter 啟動授權請求重新導向,並最終開始授權碼許可流程。

AuthorizationCodeReactiveOAuth2AuthorizedClientProviderReactiveOAuth2AuthorizedClientProvider 針對授權碼許可的實作,它也會由 OAuth2AuthorizationRequestRedirectWebFilter 啟動授權請求重新導向。

如果 OAuth 2.0 用戶端是 公開用戶端,則請如下組態 OAuth 2.0 用戶端註冊

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-authentication-method: none
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/authorized/okta"
            ...

公開用戶端支援使用 程式碼交換證明金鑰 (PKCE)。如果用戶端在不受信任的環境中執行(例如,原生應用程式或基於網路瀏覽器的應用程式),因此無法維護其憑證的機密性,則在滿足以下條件時,將自動使用 PKCE

  1. 省略(或為空)client-secret

  2. client-authentication-method 設定為 "none" (ClientAuthenticationMethod.NONE)

如果 OAuth 2.0 提供者支援 機密用戶端 的 PKCE,您可以選擇性地使用 DefaultServerOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce()) 進行組態。

DefaultServerOAuth2AuthorizationRequestResolver 也支援使用 UriComponentsBuilderredirect-uriURI 樣板變數。

以下組態使用所有支援的 URI 樣板變數

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            ...
            redirect-uri: "{baseScheme}://{baseHost}{basePort}{basePath}/authorized/{registrationId}"
            ...
{baseUrl} 解析為 {baseScheme}://{baseHost}{basePort}{basePath}

當 OAuth 2.0 用戶端在 Proxy 伺服器 後方執行時,使用 URI 樣板變數組態 redirect-uri 特別有用。這確保在擴展 redirect-uri 時使用 X-Forwarded-* 標頭。

自訂授權請求

ServerOAuth2AuthorizationRequestResolver 可以實現的主要用例之一是能夠使用 OAuth 2.0 授權框架中定義的標準參數之上的其他參數來自訂授權請求。

例如,OpenID Connect 為 授權碼流程 定義了額外的 OAuth 2.0 請求參數,從 OAuth 2.0 授權框架 中定義的標準參數擴展而來。這些擴展參數之一是 prompt 參數。

prompt 參數是選用的。以空格分隔、區分大小寫的 ASCII 字串值列表,用於指定授權伺服器是否提示終端使用者重新驗證身份和同意。定義的值為:noneloginconsentselect_account

以下範例展示如何使用 Consumer<OAuth2AuthorizationRequest.Builder> 組態 DefaultServerOAuth2AuthorizationRequestResolver,以自訂 oauth2Login() 的授權請求,方法是包含請求參數 prompt=consent

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2LoginSecurityConfig {

	@Autowired
	private ReactiveClientRegistrationRepository clientRegistrationRepository;

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.authorizeExchange(authorize -> authorize
				.anyExchange().authenticated()
			)
			.oauth2Login(oauth2 -> oauth2
				.authorizationRequestResolver(
					authorizationRequestResolver(this.clientRegistrationRepository)
				)
			);
		return http.build();
	}

	private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
			ReactiveClientRegistrationRepository clientRegistrationRepository) {

		DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver =
				new DefaultServerOAuth2AuthorizationRequestResolver(
						clientRegistrationRepository);
		authorizationRequestResolver.setAuthorizationRequestCustomizer(
				authorizationRequestCustomizer());

		return  authorizationRequestResolver;
	}

	private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
		return customizer -> customizer
					.additionalParameters(params -> params.put("prompt", "consent"));
	}
}
@Configuration
@EnableWebFluxSecurity
class SecurityConfig {

    @Autowired
    private lateinit var customClientRegistrationRepository: ReactiveClientRegistrationRepository

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            authorizeExchange {
                authorize(anyExchange, authenticated)
            }
            oauth2Login {
                authorizationRequestResolver = authorizationRequestResolver(customClientRegistrationRepository)
            }
        }

        return http.build()
    }

    private fun authorizationRequestResolver(
            clientRegistrationRepository: ReactiveClientRegistrationRepository): ServerOAuth2AuthorizationRequestResolver {
        val authorizationRequestResolver = DefaultServerOAuth2AuthorizationRequestResolver(
                clientRegistrationRepository)
        authorizationRequestResolver.setAuthorizationRequestCustomizer(
                authorizationRequestCustomizer())
        return authorizationRequestResolver
    }

    private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
        return Consumer { customizer ->
            customizer
                .additionalParameters { params -> params["prompt"] = "consent" }
        }
    }
}

對於簡單的用例,如果特定提供者的額外請求參數始終相同,則可以直接在 authorization-uri 屬性中新增。

例如,如果提供者 okta 的請求參數 prompt 的值始終為 consent,則只需如下組態

spring:
  security:
    oauth2:
      client:
        provider:
          okta:
            authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent

前面的範例展示了在標準參數之上新增自訂參數的常見用例。或者,如果您的需求更進階,您可以完全控制建構授權請求 URI,只需覆寫 OAuth2AuthorizationRequest.authorizationRequestUri 屬性即可。

OAuth2AuthorizationRequest.Builder.build() 建構 OAuth2AuthorizationRequest.authorizationRequestUri,它表示授權請求 URI,包括使用 application/x-www-form-urlencoded 格式的所有查詢參數。

以下範例展示了前面範例中 authorizationRequestCustomizer() 的變體,而是覆寫了 OAuth2AuthorizationRequest.authorizationRequestUri 屬性。

  • Java

  • Kotlin

private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
	return customizer -> customizer
			.authorizationRequestUri(uriBuilder -> uriBuilder
					.queryParam("prompt", "consent").build());
}
private fun authorizationRequestCustomizer(): Consumer<OAuth2AuthorizationRequest.Builder> {
    return Consumer { customizer: OAuth2AuthorizationRequest.Builder ->
        customizer
                .authorizationRequestUri { uriBuilder: UriBuilder ->
                    uriBuilder
                            .queryParam("prompt", "consent").build()
                }
    }
}

儲存授權請求

ServerAuthorizationRequestRepository 負責從授權請求啟動時到收到授權回應(回呼)時,持久化 OAuth2AuthorizationRequest

OAuth2AuthorizationRequest 用於關聯和驗證授權回應。

ServerAuthorizationRequestRepository 的預設實作是 WebSessionOAuth2ServerAuthorizationRequestRepository,它將 OAuth2AuthorizationRequest 儲存在 WebSession 中。

如果您有 ServerAuthorizationRequestRepository 的自訂實作,您可以如下列範例所示組態它

ServerAuthorizationRequestRepository 組態

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.oauth2Client(oauth2 -> oauth2
				.authorizationRequestRepository(this.authorizationRequestRepository())
				...
			);
		return http.build();
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            oauth2Client {
                authorizationRequestRepository = authorizationRequestRepository()
            }
        }

        return http.build()
    }
}

請求存取令牌

關於授權碼許可的 存取令牌請求/回應 協定流程,請參閱相關說明。

授權碼許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實作是 WebClientReactiveAuthorizationCodeTokenResponseClient,它使用 WebClient 在授權伺服器的令牌端點交換授權碼以取得存取令牌。

WebClientReactiveAuthorizationCodeTokenResponseClient 非常靈活,因為它允許您自訂令牌請求的預先處理和/或令牌回應的後續處理。

自訂存取令牌請求

如果您需要自訂令牌請求的預先處理,您可以為 WebClientReactiveAuthorizationCodeTokenResponseClient.setParametersConverter() 提供自訂的 Converter<OAuth2AuthorizationCodeGrantRequest, MultiValueMap<String, String>>。預設實作建構一個 MultiValueMap<String, String>,其中僅包含標準 OAuth 2.0 存取令牌請求grant_type 參數,該參數用於建構請求。授權碼許可所需的其他參數由 WebClientReactiveAuthorizationCodeTokenResponseClient 直接新增至請求主體。但是,提供自訂的 Converter 將允許您擴展標準令牌請求並新增自訂參數。

如果您只想新增其他參數,您可以改為為 WebClientReactiveAuthorizationCodeTokenResponseClient.addParametersConverter() 提供自訂的 Converter<OAuth2AuthorizationCodeGrantRequest, MultiValueMap<String, String>>,它會建構一個彙總 Converter
自訂的 Converter 必須傳回目標 OAuth 2.0 提供者可理解的有效 OAuth 2.0 存取令牌請求參數。

自訂存取令牌回應

另一方面,如果您需要自訂令牌回應的後續處理,您需要為 WebClientReactiveAuthorizationCodeTokenResponseClient.setBodyExtractor() 提供自訂組態的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,它用於將 OAuth 2.0 存取令牌回應轉換為 OAuth2AccessTokenResponseOAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實作會解析回應並相應地處理錯誤。

自訂 WebClient

或者,如果您的需求更進階,您可以透過簡單地為 WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient() 提供自訂組態的 WebClient 來完全控制請求/回應。

無論您自訂 WebClientReactiveAuthorizationCodeTokenResponseClient 還是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 實作,您都需要如下列範例所示組態它

存取令牌回應組態

  • Java

  • Kotlin

@Configuration
@EnableWebFluxSecurity
public class OAuth2ClientSecurityConfig {

	@Bean
	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
		http
			.oauth2Client(oauth2 -> oauth2
				.authenticationManager(this.authorizationCodeAuthenticationManager())
				...
			);
		return http.build();
	}

	private ReactiveAuthenticationManager authorizationCodeAuthenticationManager() {
		WebClientReactiveAuthorizationCodeTokenResponseClient accessTokenResponseClient =
				new WebClientReactiveAuthorizationCodeTokenResponseClient();
		...

		return new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient);
	}
}
@Configuration
@EnableWebFluxSecurity
class OAuth2ClientSecurityConfig {

    @Bean
    fun securityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
        http {
            oauth2Client {
                authenticationManager = authorizationCodeAuthenticationManager()
            }
        }

        return http.build()
    }

    private fun authorizationCodeAuthenticationManager(): ReactiveAuthenticationManager {
        val accessTokenResponseClient = WebClientReactiveAuthorizationCodeTokenResponseClient()
        ...

        return OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient)
    }
}

重新整理令牌

關於 重新整理令牌 的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

重新整理存取令牌

關於重新整理令牌許可的 存取令牌請求/回應 協定流程,請參閱相關說明。

重新整理令牌許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實作是 WebClientReactiveRefreshTokenTokenResponseClient,它在授權伺服器的令牌端點重新整理存取令牌時使用 WebClient

WebClientReactiveRefreshTokenTokenResponseClient 非常靈活,因為它允許您自訂令牌請求的預先處理和/或令牌回應的後續處理。

自訂存取令牌請求

如果您需要自訂令牌請求的預先處理,您可以為 WebClientReactiveRefreshTokenTokenResponseClient.setParametersConverter() 提供自訂的 Converter<OAuth2RefreshTokenGrantRequest, MultiValueMap<String, String>>。預設實作建構一個 MultiValueMap<String, String>,其中僅包含標準 OAuth 2.0 存取令牌請求grant_type 參數,該參數用於建構請求。重新整理令牌許可所需的其他參數由 WebClientReactiveRefreshTokenTokenResponseClient 直接新增至請求主體。但是,提供自訂的 Converter 將允許您擴展標準令牌請求並新增自訂參數。

如果您只想新增其他參數,您可以改為為 WebClientReactiveRefreshTokenTokenResponseClient.addParametersConverter() 提供自訂的 Converter<OAuth2RefreshTokenGrantRequest, MultiValueMap<String, String>>,它會建構一個彙總 Converter
自訂的 Converter 必須傳回目標 OAuth 2.0 提供者可理解的有效 OAuth 2.0 存取令牌請求參數。

自訂存取令牌回應

另一方面,如果您需要自訂令牌回應的後續處理,您需要為 WebClientReactiveRefreshTokenTokenResponseClient.setBodyExtractor() 提供自訂組態的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,它用於將 OAuth 2.0 存取令牌回應轉換為 OAuth2AccessTokenResponseOAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實作會解析回應並相應地處理錯誤。

自訂 WebClient

或者,如果您的需求更進階,您可以透過簡單地為 WebClientReactiveRefreshTokenTokenResponseClient.setWebClient() 提供自訂組態的 WebClient 來完全控制請求/回應。

無論您自訂 WebClientReactiveRefreshTokenTokenResponseClient 還是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 實作,您都需要如下列範例所示組態它

存取令牌回應組態

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> refreshTokenTokenResponseClient = ...

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.authorizationCode()
				.refreshToken(configurer -> configurer.accessTokenResponseClient(refreshTokenTokenResponseClient))
				.build();

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val refreshTokenTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> = ...

val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .authorizationCode()
        .refreshToken { it.accessTokenResponseClient(refreshTokenTokenResponseClient) }
        .build()

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
ReactiveOAuth2AuthorizedClientProviderBuilder.builder().refreshToken() 組態 RefreshTokenReactiveOAuth2AuthorizedClientProvider,它是 ReactiveOAuth2AuthorizedClientProvider 針對重新整理令牌許可的實作。

OAuth2RefreshToken 可能會選擇性地在 authorization_codepassword 許可類型的存取令牌回應中傳回。如果 OAuth2AuthorizedClient.getRefreshToken() 可用且 OAuth2AuthorizedClient.getAccessToken() 已過期,則它將由 RefreshTokenReactiveOAuth2AuthorizedClientProvider 自動重新整理。

用戶端憑證

關於 用戶端憑證 許可的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

請求存取令牌

關於用戶端憑證許可的 存取令牌請求/回應 協定流程,請參閱相關說明。

用戶端憑證許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實作是 WebClientReactiveClientCredentialsTokenResponseClient,它在授權伺服器的令牌端點請求存取令牌時使用 WebClient

WebClientReactiveClientCredentialsTokenResponseClient 非常靈活,因為它允許您自訂令牌請求的預先處理和/或令牌回應的後續處理。

自訂存取令牌請求

如果您需要自訂令牌請求的預先處理,您可以為 WebClientReactiveClientCredentialsTokenResponseClient.setParametersConverter() 提供自訂的 Converter<OAuth2ClientCredentialsGrantRequest, MultiValueMap<String, String>>。預設實作建構一個 MultiValueMap<String, String>,其中僅包含標準 OAuth 2.0 存取令牌請求grant_type 參數,該參數用於建構請求。用戶端憑證許可所需的其他參數由 WebClientReactiveClientCredentialsTokenResponseClient 直接新增至請求主體。但是,提供自訂的 Converter 將允許您擴展標準令牌請求並新增自訂參數。

如果您只想新增其他參數,您可以改為為 WebClientReactiveClientCredentialsTokenResponseClient.addParametersConverter() 提供自訂的 Converter<OAuth2ClientCredentialsGrantRequest, MultiValueMap<String, String>>,它會建構一個彙總 Converter
自訂的 Converter 必須傳回目標 OAuth 2.0 提供者可理解的有效 OAuth 2.0 存取令牌請求參數。

自訂存取令牌回應

另一方面,如果您需要自訂令牌回應的後續處理,您需要為 WebClientReactiveClientCredentialsTokenResponseClient.setBodyExtractor() 提供自訂組態的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,它用於將 OAuth 2.0 存取令牌回應轉換為 OAuth2AccessTokenResponseOAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實作會解析回應並相應地處理錯誤。

自訂 WebClient

或者,如果您的需求更進階,您可以透過簡單地為 WebClientReactiveClientCredentialsTokenResponseClient.setWebClient() 提供自訂組態的 WebClient 來完全控制請求/回應。

無論您自訂 WebClientReactiveClientCredentialsTokenResponseClient 還是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 實作,您都需要如下列範例所示組態它

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient = ...

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.clientCredentials(configurer -> configurer.accessTokenResponseClient(clientCredentialsTokenResponseClient))
				.build();

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val clientCredentialsTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> = ...

val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .clientCredentials { it.accessTokenResponseClient(clientCredentialsTokenResponseClient) }
        .build()

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
ReactiveOAuth2AuthorizedClientProviderBuilder.builder().clientCredentials() 組態 ClientCredentialsReactiveOAuth2AuthorizedClientProvider,它是 ReactiveOAuth2AuthorizedClientProvider 針對用戶端憑證許可的實作。

使用存取令牌

假設 OAuth 2.0 用戶端註冊的 Spring Boot 屬性如下

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: client_credentials
            scope: read, write
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 ReactiveOAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.clientCredentials()
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

您可以如下取得 OAuth2AccessToken

  • Java

  • Kotlin

@Controller
public class OAuth2ClientController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/")
	public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(authentication)
				.attribute(ServerWebExchange.class.getName(), exchange)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				...
				.thenReturn("index");
	}
}
class OAuth2ClientController {

    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/")
    fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(authentication)
                .attribute(ServerWebExchange::class.java.name, exchange)
                .build()

        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                ...
                .thenReturn("index")
    }
}
ServerWebExchange 是一個選用屬性。如果未提供,將會透過金鑰 ServerWebExchange.classReactor 的 Context 中取得。

資源擁有者密碼憑證

關於 資源擁有者密碼憑證 許可的更多詳細資訊,請參閱 OAuth 2.0 授權框架。

請求存取令牌

關於資源擁有者密碼憑證許可的 存取令牌請求/回應 協定流程,請參閱相關說明。

資源擁有者密碼憑證許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實作是 WebClientReactivePasswordTokenResponseClient,它在授權伺服器的令牌端點請求存取令牌時使用 WebClient

WebClientReactivePasswordTokenResponseClient 非常靈活,因為它允許您自訂令牌請求的預先處理和/或令牌回應的後續處理。

自訂存取令牌請求

如果您需要自訂令牌請求的預先處理,您可以為 WebClientReactivePasswordTokenResponseClient.setParametersConverter() 提供自訂的 Converter<OAuth2PasswordGrantRequest, MultiValueMap<String, String>>。預設實作建構一個 MultiValueMap<String, String>,其中僅包含標準 OAuth 2.0 存取令牌請求grant_type 參數,該參數用於建構請求。資源擁有者密碼憑證許可所需的其他參數由 WebClientReactivePasswordTokenResponseClient 直接新增至請求主體。但是,提供自訂的 Converter 將允許您擴展標準令牌請求並新增自訂參數。

如果您只想新增其他參數,您可以改為為 WebClientReactivePasswordTokenResponseClient.addParametersConverter() 提供自訂的 Converter<OAuth2PasswordGrantRequest, MultiValueMap<String, String>>,它會建構一個彙總 Converter
自訂的 Converter 必須傳回目標 OAuth 2.0 提供者可理解的有效 OAuth 2.0 存取令牌請求參數。

自訂存取令牌回應

另一方面,如果您需要自訂令牌回應的後續處理,您需要為 WebClientReactivePasswordTokenResponseClient.setBodyExtractor() 提供自訂組態的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,它用於將 OAuth 2.0 存取令牌回應轉換為 OAuth2AccessTokenResponseOAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實作會解析回應並相應地處理錯誤。

自訂 WebClient

或者,如果您的需求更進階,您可以透過簡單地為 WebClientReactivePasswordTokenResponseClient.setWebClient() 提供自訂組態的 WebClient 來完全控制請求/回應。

無論您自訂 WebClientReactivePasswordTokenResponseClient 還是提供您自己的 ReactiveOAuth2AccessTokenResponseClient 實作,您都需要如下列範例所示組態它

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> passwordTokenResponseClient = ...

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.password(configurer -> configurer.accessTokenResponseClient(passwordTokenResponseClient))
				.refreshToken()
				.build();

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
val passwordTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> = ...

val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .password { it.accessTokenResponseClient(passwordTokenResponseClient) }
        .refreshToken()
        .build()

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
ReactiveOAuth2AuthorizedClientProviderBuilder.builder().password() 組態 PasswordReactiveOAuth2AuthorizedClientProvider,它是 ReactiveOAuth2AuthorizedClientProvider 針對資源擁有者密碼憑證許可的實作。

使用存取令牌

假設 OAuth 2.0 用戶端註冊的 Spring Boot 屬性如下

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: password
            scope: read, write
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 ReactiveOAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.password()
					.refreshToken()
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
	// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
	authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());

	return authorizedClientManager;
}

private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
	return authorizeRequest -> {
		Map<String, Object> contextAttributes = Collections.emptyMap();
		ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
		ServerHttpRequest request = exchange.getRequest();
		String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
		String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
		if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
			contextAttributes = new HashMap<>();

			// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
			contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
			contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
		}
		return Mono.just(contextAttributes);
	};
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .password()
            .refreshToken()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

    // Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
    // map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
    authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
    return authorizedClientManager
}

private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
    return Function { authorizeRequest ->
        var contextAttributes: MutableMap<String, Any> = mutableMapOf()
        val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
        val request: ServerHttpRequest = exchange.request
        val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
        val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
        if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
            contextAttributes = hashMapOf()

            // `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
            contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
            contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
        }
        Mono.just(contextAttributes)
    }
}

您可以如下取得 OAuth2AccessToken

  • Java

  • Kotlin

@Controller
public class OAuth2ClientController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/")
	public Mono<String> index(Authentication authentication, ServerWebExchange exchange) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(authentication)
				.attribute(ServerWebExchange.class.getName(), exchange)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				...
				.thenReturn("index");
	}
}
@Controller
class OAuth2ClientController {
    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/")
    fun index(authentication: Authentication, exchange: ServerWebExchange): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(authentication)
                .attribute(ServerWebExchange::class.java.name, exchange)
                .build()

        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                ...
                .thenReturn("index")
    }
}
ServerWebExchange 是一個選用屬性。如果未提供,將會透過金鑰 ServerWebExchange.classReactor 的 Context 中取得。

JWT Bearer

關於 JWT Bearer 許可的更多詳細資訊,請參閱 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants。

請求存取令牌

關於 JWT Bearer 許可的 存取令牌請求/回應 協定流程,請參閱相關說明。

JWT Bearer 許可的 ReactiveOAuth2AccessTokenResponseClient 的預設實作是 WebClientReactiveJwtBearerTokenResponseClient,它在授權伺服器的令牌端點請求存取令牌時使用 WebClient

WebClientReactiveJwtBearerTokenResponseClient 非常靈活,因為它允許您自訂令牌請求的預先處理和/或令牌回應的後續處理。

自訂存取令牌請求

如果您需要自訂令牌請求的預先處理,您可以透過 WebClientReactiveJwtBearerTokenResponseClient.setParametersConverter() 提供自訂的 Converter<JwtBearerGrantRequest, MultiValueMap<String, String>>。預設實作會建置 MultiValueMap<String, String>,其中僅包含標準 OAuth 2.0 存取令牌請求grant_type 參數,此參數用於建構請求。JWT Bearer 授權所需的其他參數會由 WebClientReactiveJwtBearerTokenResponseClient 直接新增至請求主體中。然而,提供自訂的 Converter 可讓您擴展標準令牌請求並新增自訂參數。

如果您偏好僅新增額外參數,您可以改為透過 WebClientReactiveJwtBearerTokenResponseClient.addParametersConverter() 提供自訂的 Converter<JwtBearerGrantRequest, MultiValueMap<String, String>>,此轉換器會建構聚合 Converter
自訂的 Converter 必須傳回目標 OAuth 2.0 提供者可理解的有效 OAuth 2.0 存取令牌請求參數。

自訂存取令牌回應

另一方面,如果您需要自訂令牌回應的後續處理,您需要透過 WebClientReactiveJwtBearerTokenResponseClient.setBodyExtractor() 提供自訂配置的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,用於將 OAuth 2.0 存取令牌回應轉換為 OAuth2AccessTokenResponseOAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實作會剖析回應並據此處理錯誤。

自訂 WebClient

或者,如果您的需求更進階,您可以透過簡單地透過 WebClientReactiveJwtBearerTokenResponseClient.setWebClient() 提供自訂配置的 WebClient,完全掌控請求/回應。

無論您是自訂 WebClientReactiveJwtBearerTokenResponseClient 或提供您自己的 ReactiveOAuth2AccessTokenResponseClient 實作,您都需要按照以下範例所示進行配置

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient = ...

JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = new JwtBearerReactiveOAuth2AuthorizedClientProvider();
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient);

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.provider(jwtBearerAuthorizedClientProvider)
				.build();

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val jwtBearerTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> = ...

val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
jwtBearerAuthorizedClientProvider.setAccessTokenResponseClient(jwtBearerTokenResponseClient)

val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .provider(jwtBearerAuthorizedClientProvider)
        .build()

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

使用存取令牌

假設 OAuth 2.0 用戶端註冊的 Spring Boot 屬性如下

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: urn:ietf:params:oauth:grant-type:jwt-bearer
            scope: read
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 OAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	JwtBearerReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider =
			new JwtBearerReactiveOAuth2AuthorizedClientProvider();

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.provider(jwtBearerAuthorizedClientProvider)
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val jwtBearerAuthorizedClientProvider = JwtBearerReactiveOAuth2AuthorizedClientProvider()
    val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .provider(jwtBearerAuthorizedClientProvider)
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

您可以如下取得 OAuth2AccessToken

  • Java

  • Kotlin

@RestController
public class OAuth2ResourceServerController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/resource")
	public Mono<String> resource(JwtAuthenticationToken jwtAuthentication, ServerWebExchange exchange) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(jwtAuthentication)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				...
	}
}
class OAuth2ResourceServerController {

    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/resource")
    fun resource(jwtAuthentication: JwtAuthenticationToken, exchange: ServerWebExchange): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(jwtAuthentication)
                .build()
        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                ...
    }
}
JwtBearerReactiveOAuth2AuthorizedClientProvider 預設會透過 OAuth2AuthorizationContext.getPrincipal().getPrincipal() 解析 Jwt 斷言,因此在先前的範例中使用了 JwtAuthenticationToken
如果您需要從不同的來源解析 Jwt 斷言,您可以透過 JwtBearerReactiveOAuth2AuthorizedClientProvider.setJwtAssertionResolver() 提供自訂的 Function<OAuth2AuthorizationContext, Mono<Jwt>>

令牌交換

有關 令牌交換授權的更多詳細資訊,請參閱 OAuth 2.0 令牌交換。

請求存取令牌

有關令牌交換授權的 令牌交換請求與回應協定流程,請參閱相關章節。

ReactiveOAuth2AccessTokenResponseClient 針對令牌交換授權的預設實作是 WebClientReactiveTokenExchangeTokenResponseClient,其在授權伺服器的令牌端點請求存取令牌時會使用 WebClient

WebClientReactiveTokenExchangeTokenResponseClient 非常彈性,因為它允許您自訂令牌請求的預先處理和/或令牌回應的後續處理。

自訂存取令牌請求

如果您需要自訂令牌請求的預先處理,您可以透過 WebClientReactiveTokenExchangeTokenResponseClient.setParametersConverter() 提供自訂的 Converter<TokenExchangeGrantRequest, MultiValueMap<String, String>>。預設實作會建置 MultiValueMap<String, String>,其中僅包含標準 OAuth 2.0 存取令牌請求grant_type 參數,此參數用於建構請求。Token Exchange 授權所需的其他參數會由 WebClientReactiveTokenExchangeTokenResponseClient 直接新增至請求主體中。然而,提供自訂的 Converter 可讓您擴展標準令牌請求並新增自訂參數。

如果您偏好僅新增額外參數,您可以改為透過 WebClientReactiveTokenExchangeTokenResponseClient.addParametersConverter() 提供自訂的 Converter<TokenExchangeGrantRequest, MultiValueMap<String, String>>,此轉換器會建構聚合 Converter
自訂的 Converter 必須傳回目標 OAuth 2.0 提供者可理解的有效 OAuth 2.0 存取令牌請求參數。

自訂存取令牌回應

另一方面,如果您需要自訂令牌回應的後續處理,您需要透過 WebClientReactiveTokenExchangeTokenResponseClient.setBodyExtractor() 提供自訂配置的 BodyExtractor<Mono<OAuth2AccessTokenResponse>, ReactiveHttpInputMessage>,用於將 OAuth 2.0 存取令牌回應轉換為 OAuth2AccessTokenResponseOAuth2BodyExtractors.oauth2AccessTokenResponse() 提供的預設實作會剖析回應並據此處理錯誤。

自訂 WebClient

或者,如果您的需求更進階,您可以透過簡單地透過 WebClientReactiveTokenExchangeTokenResponseClient.setWebClient() 提供自訂配置的 WebClient,完全掌控請求/回應。

無論您是自訂 WebClientReactiveTokenExchangeTokenResponseClient 或提供您自己的 ReactiveOAuth2AccessTokenResponseClient 實作,您都需要按照以下範例所示進行配置

  • Java

  • Kotlin

// Customize
ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> tokenExchangeTokenResponseClient = ...

TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider = new TokenExchangeReactiveOAuth2AuthorizedClientProvider();
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient);

ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
		ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
				.provider(tokenExchangeAuthorizedClientProvider)
				.build();

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
// Customize
val tokenExchangeTokenResponseClient: ReactiveOAuth2AccessTokenResponseClient<TokenExchangeGrantRequest> = ...

val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
tokenExchangeAuthorizedClientProvider.setAccessTokenResponseClient(tokenExchangeTokenResponseClient)

val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
        .provider(tokenExchangeAuthorizedClientProvider)
        .build()

...

authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

使用存取令牌

假設 OAuth 2.0 用戶端註冊的 Spring Boot 屬性如下

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: okta-client-id
            client-secret: okta-client-secret
            authorization-grant-type: urn:ietf:params:oauth:grant-type:token-exchange
            scope: read
        provider:
          okta:
            token-uri: https://dev-1234.oktapreview.com/oauth2/v1/token

…​以及 OAuth2AuthorizedClientManager @Bean

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	TokenExchangeReactiveOAuth2AuthorizedClientProvider tokenExchangeAuthorizedClientProvider =
			new TokenExchangeReactiveOAuth2AuthorizedClientProvider();

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.provider(tokenExchangeAuthorizedClientProvider)
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val tokenExchangeAuthorizedClientProvider = TokenExchangeReactiveOAuth2AuthorizedClientProvider()
    val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .provider(tokenExchangeAuthorizedClientProvider)
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

您可以如下取得 OAuth2AccessToken

  • Java

  • Kotlin

@RestController
public class OAuth2ResourceServerController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;

	@GetMapping("/resource")
	public Mono<String> resource(JwtAuthenticationToken jwtAuthentication) {
		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
				.principal(jwtAuthentication)
				.build();

		return this.authorizedClientManager.authorize(authorizeRequest)
				.map(OAuth2AuthorizedClient::getAccessToken)
				...
	}
}
class OAuth2ResourceServerController {

    @Autowired
    private lateinit var authorizedClientManager: ReactiveOAuth2AuthorizedClientManager

    @GetMapping("/resource")
    fun resource(jwtAuthentication: JwtAuthenticationToken): Mono<String> {
        val authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("okta")
                .principal(jwtAuthentication)
                .build()
        return authorizedClientManager.authorize(authorizeRequest)
                .map { it.accessToken }
                ...
    }
}
TokenExchangeReactiveOAuth2AuthorizedClientProvider 預設會透過 OAuth2AuthorizationContext.getPrincipal().getPrincipal() 解析主體令牌 (作為 OAuth2Token),因此在先前的範例中使用了 JwtAuthenticationToken。預設不會解析動作方令牌。
如果您需要從不同的來源解析主體令牌,您可以透過 TokenExchangeReactiveOAuth2AuthorizedClientProvider.setSubjectTokenResolver() 提供自訂的 Function<OAuth2AuthorizationContext, Mono<OAuth2Token>>
如果您需要解析動作方令牌,您可以透過 TokenExchangeReactiveOAuth2AuthorizedClientProvider.setActorTokenResolver() 提供自訂的 Function<OAuth2AuthorizationContext, Mono<OAuth2Token>>