Spring Reactive Oauth2 Webclient 不使用配置的代理

Question

I have an Oauth2 authentication service that must use proxy to call the OAuth provider to get token after user authentication. The server used here is.netty while i have a reactive server for gateway reasons.

This is the configuration that i am using:

@Configuration
public class GithubProxyConfig {

    private static final Logger LOGGER = Logger.getLogger(GithubProxyConfig.class);

    @Bean("githubClientRegistrationRepository")
    public ReactiveClientRegistrationRepository githubClientRegistrationRepository() {
        ClientRegistration registration = ClientRegistration
                .withRegistrationId("github")
                .clientId("ID")
                .clientSecret("SECRET")
                .redirectUri("https://oauth-service/api/login/oauth2/code/github")
                .authorizationUri("https://github.com/login/oauth/authorize")
                .tokenUri("https://github.com/login/oauth/access_token")
                .userInfoUri("https://api.github.com/user")
                .userNameAttributeName("login")
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .build();
        return new InMemoryReactiveClientRegistrationRepository(registration);
    }

    @Primary
    @Bean
    @DependsOn(value = {"githubClientRegistrationRepository"})
    public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientServiceReactiveOAuth2AuthorizedClientManager(
            @Qualifier("githubClientRegistrationRepository") ReactiveClientRegistrationRepository clientRegistrations,
            WebClientBuilderFactory webClientBuilderFactory
    ) throws SSLException {
        WebClient webClient = webClientBuilderFactory
                .newBuilder(LOGGER, "Github Client")
                .clientConnector(sslConnectorFrom("60.32.59.68", 8080))
                .build();
        InMemoryReactiveOAuth2AuthorizedClientService authorizedClientService = new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrations);
        AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
                new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations, authorizedClientService);
        authorizedClientManager.setAuthorizedClientProvider(createAuthorizedClientProvider(webClient));
        ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2FilterFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
                authorizedClientManager
        );
        oauth2FilterFunction.setDefaultClientRegistrationId("github");
        return authorizedClientManager;
    }

    private ReactiveOAuth2AuthorizedClientProvider createAuthorizedClientProvider(WebClient webClient) {
        WebClientReactiveClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient
                = new WebClientReactiveClientCredentialsTokenResponseClient();
        clientCredentialsTokenResponseClient.setWebClient(webClient);

        return ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
                .clientCredentials(builder -> builder.accessTokenResponseClient(clientCredentialsTokenResponseClient))
                .build();
    }

}

When i start the flow, no proxy is used and even the WebClient is not used to get access token. And i get a timeout exception for that. The same issue was discussed in Github: https://github.com/spring-projects/spring-security/issues/8966

Any help for the resolution of this issue to make the use of the proxy for this client. Thank you

Answer 1

I had a problem in my gateway with reactive oauth2 not honoring standard Java proxy settings too, but in my case it was for JWT decoding. In that case, I had to end up building a new decoder with an instantiated WebClient by using the WebClient builder with a new client connector that has a specific proxy override.

In your situation, you may want to try similar. Again, not the exact same situation, but here is how I overrode the WebClient in a decoder example.

    ReactiveJwtDecoder customDecoder() {

        HttpClient httpClient =
                HttpClient.create()
                        .proxy(proxy -> proxy
                                .type(ProxyProvider.Proxy.HTTP)
                                .host(proxyHost)
                                .port(proxyPort));

        ReactorClientHttpConnector conn = new ReactorClientHttpConnector(httpClient);

        final NimbusReactiveJwtDecoder userTokenDecoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri)
                .webClient(WebClient.builder().clientConnector(conn).build()).build();
...
...
...

        return userTokenDecoder;
    }