stackoom
  简体   繁体   中英

Spring Boot Oauth2 Client(Reactive) Mutual TLS/SSL token uri

 原文  2020-07-16 13:33:54       java/ spring/ spring-boot/ spring-webflux/ spring-boot-starter-oauth2-client

Question

Spring boot 2.3.x and Spring 5.x had recently added the support for configuring the reactive oauth2 client based on the WebClient class.

I had a requirement for the Client Credentials grant flow configuration

Doing this call without the Mutual TLS/SSL is quiet straight forward.

Normal (without TLS/SSL) configuration ( @Configuration ) the code extract is as below:-

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ServerOAuth2AuthorizedClientRepository authorizedClientRepository){

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build();

    DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

@Bean("testClient")
public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager,
                           @Value("${test.client.base.url}") String baseUrl) {
    ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
    oauthFunction.setDefaultClientRegistrationId("local");
    return WebClient.builder()
            .baseUrl(baseUrl)
            .filter(oauthFunction)
            .build();
}

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.oauth2Client();
    return http.build();
}

The properties file

spring.security.oauth2.client.registration.local.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.local.client-id=client_id
spring.security.oauth2.client.registration.local.client-secret=client_secret

spring.security.oauth2.client.provider.local.token-uri=http://hostname:port/oauth/token
test.client.base.url=http://protected-resource/v1/apis

But calling the oauth2 authorization server over Mutual TLS(Client cert) was a big deal.

How to do that? I would like to share the same with the community and would answer the same myself below

1 answers

solution1
 1 ACCPTED  2020-07-16 13:33:54

The answer to the requirement and the main change will be in the bean authorizedClientManager

The scope of the answer is the client credentials grant flow only though changes for the other oauth2 grant flows should be similar and this would help there too.

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ServerOAuth2AuthorizedClientRepository authorizedClientRepository){

    // construct client credential token response client yourself
    WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient = new WebClientReactiveClientCredentialsTokenResponseClient();

    // construct the sslContext as per your needs and inject in below
    // and create httpClient by injecting your sslContext here
    HttpClient httpClient = HttpClient.create()
            .tcpConfiguration(client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000))
            .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

    ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);

    accessTokenResponseClient.setWebClient(WebClient.builder().clientConnector(httpConnector).build());

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
            .builder()
            .clientCredentials(c -> {
                c.accessTokenResponseClient(accessTokenResponseClient);
            }).build();

    DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

Here if you see the line .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

You need to construct the sslContext and inject the same, and that would depend entirely on your code setup.

For detailed code and instructions you can go to the link here

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring boot oauth2 token oauth2 client in Spring Boot How get a token in spring boot 2 oauth2? Spring Boot + Oauth2 client credentials Spring boot OAuth2 - OAuth Token does not return authorization token Why Spring Boot WebClient OAuth2 (client_credentials) asks for a new token for each request? Spring boot oauth2: No userInfo endpoint - How to load the authentication (Principal) from the JWT access token directly in the client Mutual Authentication(Two-Way TLS/SSL) with cloud residing KeyStores and TrustStores(Secret Manager) -Spring boot Spring boot - google oauth2, store refresh token in database Unable to access resources with access_token : spring boot Oauth2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM