[英]Can I have Spring Boot create a WebClient which uses OAuth2 without it trying to apply the OAuth flow to my endpoints?
I want to have a WebClient which uses a client_credentials OAuth2 flow to authorize with an API. I've followed various sets of instructions from the documentation to several tutorials.我想要一个使用 client_credentials OAuth2 流来授权 API 的 WebClient。我遵循了从文档到几个教程的各种说明。
I feel like I'm pretty close to getting Spring Boot to do what I want, but the default behaviour is doing something I don't want - I get redirected to /login when I make a request to any of my controllers.我觉得我非常接近让 Spring Boot 做我想做的事,但默认行为是做我不想做的事——当我向我的任何控制器发出请求时,我被重定向到 /login。 I want to be able to (at the moment) do an unauthorized request to my API, and have the service-to-service call use the configured OAuth2 flow.我希望能够(目前)对我的 API 进行未经授权的请求,并让服务到服务调用使用配置的 OAuth2 流程。
spring:
main:
web-application-type: reactive
security:
oauth2:
client:
registration:
my-private-api:
client-id: <foo>
client-secret: <bar>
authorization-grant-type: client_credentials
provider:
my-private-api:
token-uri: <uri>
@Bean
WebClient webClient( final ReactiveClientRegistrationRepository clientRegistrations,
final ReactiveOAuth2AuthorizedClientService authorizedClientService )
{
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =
new ServerOAuth2AuthorizedClientExchangeFilterFunction( new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrations,
authorizedClientService ) );
oauth.setDefaultClientRegistrationId( "my-private-api" );
return WebClient.builder().filter( oauth ).build();
}
Do I need to do lots of manual configuration in order to avoid this default behaviour I don't want?我是否需要进行大量手动配置才能避免这种我不想要的默认行为?
So turns out my OAuth configuration was fine, what I was actually asking for was "how do I disable the default behaviour of Spring Security's SecurityWebFilterChain" - which is to add a bean overriding the behaviour:结果证明我的 OAuth 配置很好,我实际上要求的是“如何禁用 Spring Security 的 SecurityWebFilterChain 的默认行为”——这是添加一个覆盖行为的 bean:
@Bean
SecurityWebFilterChain springWebFilterChain( final ServerHttpSecurity http )
{
http.httpBasic().disable().formLogin().disable().csrf().disable().logout().disable();
return http.build();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.