# 授权客户功能

# 解决授权客户

@RegisteredOAuth2AuthorizedClient注释提供了将方法参数解析为OAuth2AuthorizedClient类型的参数值的功能。与使用OAuth2AuthorizedClientManagerOAuth2AuthorizedClientService访问OAuth2AuthorizedClient相比,这是一种方便的替代方法。

Java

@Controller
public class OAuth2ClientController {

	@GetMapping("/")
	public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
		OAuth2AccessToken accessToken = authorizedClient.getAccessToken();

		...

		return "index";
	}
}

Kotlin

@Controller
class OAuth2ClientController {
    @GetMapping("/")
    fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
        val accessToken = authorizedClient.accessToken

        ...

        return "index"
    }
}

@RegisteredOAuth2AuthorizedClient注释由OAuth2AuthorizedClientArgumentResolver处理,它直接使用[OAuth2AuthorizedClientManager](core.html#oAuth2client-authorized-manager-provider),因此继承了它的功能。

# 用于 Servlet 环境的WebClient集成

OAuth2.0客户端支持使用ExchangeFilterFunctionWebClient集成。

ServletOAuth2AuthorizedClientExchangeFilterFunction提供了一种简单的机制,通过使用OAuth2AuthorizedClient请求受保护的资源,并将相关的OAuth2AccessToken作为承载令牌。它直接使用[OAuth2AuthorizedClientManager](core.html#OAuth2client-authorized-manager-provider),因此继承了以下功能:

  • 如果客户端尚未获得授权,则将请求OAuth2AccessToken

    • authorization_code-触发授权请求重定向以初始化流

    • client_credentials-访问令牌是直接从令牌端点获得的

    • password-访问令牌是直接从令牌端点获得的

  • 如果OAuth2AccessToken过期,如果OAuth2AuthorizedClientProvider可用于执行授权,则将刷新(或更新)该权限

下面的代码展示了如何使用OAuth2.0客户端支持配置WebClient的示例:

Java

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
	ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	return WebClient.builder()
			.apply(oauth2Client.oauth2Configuration())
			.build();
}

Kotlin

@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
    val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build()
}

# 提供授权客户

通过解析ClientRequest.attributes()(请求属性)中的OAuth2AuthorizedClientServletOAuth2AuthorizedClientExchangeFilterFunction确定要使用的客户机(用于请求)。

下面的代码展示了如何将OAuth2AuthorizedClient设置为请求属性:

Java

@GetMapping("/")
public String index(@RegisteredOAuth2AuthorizedClient("okta") OAuth2AuthorizedClient authorizedClient) {
	String resourceUri = ...

	String body = webClient
			.get()
			.uri(resourceUri)
			.attributes(oauth2AuthorizedClient(authorizedClient))   (1)
			.retrieve()
			.bodyToMono(String.class)
			.block();

	...

	return "index";
}

Kotlin

@GetMapping("/")
fun index(@RegisteredOAuth2AuthorizedClient("okta") authorizedClient: OAuth2AuthorizedClient): String {
    val resourceUri: String = ...
    val body: String = webClient
            .get()
            .uri(resourceUri)
            .attributes(oauth2AuthorizedClient(authorizedClient)) (1)
            .retrieve()
            .bodyToMono()
            .block()

    ...

    return "index"
}
1 oauth2AuthorizedClient()static中的一个static方法。

下面的代码展示了如何将ClientRegistration.getRegistrationId()设置为请求属性:

Java

@GetMapping("/")
public String index() {
	String resourceUri = ...

	String body = webClient
			.get()
			.uri(resourceUri)
			.attributes(clientRegistrationId("okta"))   (1)
			.retrieve()
			.bodyToMono(String.class)
			.block();

	...

	return "index";
}

Kotlin

@GetMapping("/")
fun index(): String {
    val resourceUri: String = ...

    val body: String = webClient
            .get()
            .uri(resourceUri)
            .attributes(clientRegistrationId("okta"))  (1)
            .retrieve()
            .bodyToMono()
            .block()

    ...

    return "index"
}
1 clientRegistrationId()static中的一个static方法。

# 对授权客户违约

如果OAuth2AuthorizedClientClientRegistration.getRegistrationId()都不作为请求属性提供,则ServletOAuth2AuthorizedClientExchangeFilterFunction可以根据其配置来确定要使用的默认值客户端。

如果setDefaultOAuth2AuthorizedClient(true)被配置并且用户已经使用HttpSecurity.oauth2Login()进行了身份验证,则使用与当前OAuth2AccessToken关联的OAuth2AccessToken

以下代码显示了具体的配置:

Java

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
	ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultOAuth2AuthorizedClient(true);
	return WebClient.builder()
			.apply(oauth2Client.oauth2Configuration())
			.build();
}

Kotlin

@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
    val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultOAuth2AuthorizedClient(true)
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build()
}
由于所有HTTP请求都将接收访问令牌,因此建议对此功能保持谨慎。

或者,如果setDefaultClientRegistrationId("okta")被配置为有效的ClientRegistration,则使用与OAuth2AuthorizedClient关联的OAuth2AccessToken

以下代码显示了具体的配置:

Java

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
	ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
			new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
	oauth2Client.setDefaultClientRegistrationId("okta");
	return WebClient.builder()
			.apply(oauth2Client.oauth2Configuration())
			.build();
}

Kotlin

@Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager?): WebClient {
    val oauth2Client = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
    oauth2Client.setDefaultClientRegistrationId("okta")
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build()
}
由于所有HTTP请求都将接收访问令牌,因此建议对此功能保持谨慎。

OAuth2客户端身份验证OAuth2资源服务器