Spring Security 5 在 Application Runner 中调用 OAuth2 Secured API 导致 IllegalArgumentException

Question

给定以下代码，是否可以在应用程序运行器中调用客户端凭据安全 API？

@Bean
public ApplicationRunner test(
    WebClient.Builder builder,
    ClientRegistrationRepository clientRegistrationRepo, 
    OAuth2AuthorizedClientRepository authorizedClient) {
        return args -> {
            try {
                var oauth2 =
                    new ServletOAuth2AuthorizedClientExchangeFilterFunction(
                        clientRegistrationRepo,
                        authorizedClient);
                oauth2.setDefaultClientRegistrationId("test");
                var response = builder
                    .apply(oauth2.oauth2Configuration())
                    .build()
                    .get()
                    .uri("test")
                    .retrieve()
                    .bodyToMono(String.class)
                    .block();
                log.info("Response - {}", response);
            } catch (Exception e) {
                log.error("Failed to call test.", e);
            }
        };
    }

代码失败的原因是，

java.lang.IllegalArgumentException: request cannot be null

全栈，

java.lang.IllegalArgumentException: request cannot be null
    at org.springframework.util.Assert.notNull(Assert.java:198) ~[spring-core-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository.loadAuthorizedClient(HttpSessionOAuth2AuthorizedClientRepository.java:47) ~[spring-security-oauth2-client-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.populateDefaultOAuth2AuthorizedClient(ServletOAuth2AuthorizedClientExchangeFilterFunction.java:364) ~[spring-security-oauth2-client-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.lambda$null$2(ServletOAuth2AuthorizedClientExchangeFilterFunction.java:209) ~[spring-security-oauth2-client-5.1.4.RELEASE.jar:5.1.4.RELEASE]
    at org.springframework.web.reactive.function.client.DefaultWebClient$DefaultRequestBodyUriSpec.attributes(DefaultWebClient.java:234) ~[spring-webflux-5.1.5.RELEASE.jar:5.1.5.RELEASE]
    at org.springframework.web.reactive.function.client.DefaultWebClient$DefaultRequestBodyUriSpec.attributes(DefaultWebClient.java:153) ~[spring-webflux-5.1.5.RELEASE.jar:5.1.5.RELEASE]

失败的方法看起来像，

public <T extends OAuth2AuthorizedClient> T loadAuthorizedClient(
    String clientRegistrationId,  Authentication principal, HttpServletRequest request){

    Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
    Assert.notNull(request, "request cannot be null");
    return (OAuth2AuthorizedClient)this
        .getAuthorizedClients(request)
        .get(clientRegistrationId);
}

这是有道理的，因为没有HttpServletRequest可供它使用，它在应用程序启动时被调用。

除了制作我自己的无操作OAuth2AuthorizedClientRepository之外，还有其他解决方法吗？

//编辑，

这不是一个完全反应式的堆栈。 它是一个 Spring Web 堆栈，其中使用了 WebClient。

我很清楚ServerOAuth2AuthorizedClientExchangeFilterFunction它适用于完全反应式堆栈，并且需要ReactiveClientRegistrationRepository和ReactiveOauth2AuthorizedClient这两个不可用，因为这是在 Servlet 堆栈之上构建的应用程序，而不是反应式。

Answer 1

由于我也偶然发现了这个问题，我将详细说明Darren Forsythe 的更新答案，以便其他人更容易找到：

OP 提交的问题导致OAuth2AuthorizedClientManager的实现能够

在 HttpServletRequest 上下文之外操作，例如在调度/后台线程和/或服务层中

（ 来自官方文档）

所述实现， AuthorizedClientServiceOAuth2AuthorizedClientManager ，被传递给ServletOAuth2AuthorizedClientExchangeFilterFunction以替换默认的。

在我的示例中，这看起来像这样：

@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
        ClientRegistrationRepository clientRegistrationRepository,
        OAuth2AuthorizedClientService clientService)
{

    OAuth2AuthorizedClientProvider authorizedClientProvider = 
        OAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build();

    AuthorizedClientServiceOAuth2AuthorizedClientManager authorizedClientManager = 
        new AuthorizedClientServiceOAuth2AuthorizedClientManager(
            clientRegistrationRepository, clientService);
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

    return authorizedClientManager;
}

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager)
{
    ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2 =
        new ServletOAuth2AuthorizedClientExchangeFilterFunction(
            authorizedClientManager);
    oauth2.setDefaultClientRegistrationId("keycloak");
    return WebClient.builder().apply(oauth2.oauth2Configuration()).build();
}

Answer 2

我最终向 Spring Security 团队提出了这个问题，

https://github.com/spring-projects/spring-security/issues/6683

不幸的是，如果您在 servlet 堆栈上并在后台线程中使用纯 Spring Security 5 API 调用 OAuth2 资源，则没有可用的 OAuth2AuthorizedClientRepository 。

实际有两种选择，

1. 实现一个完全无操作的版本，

 
 
  
   var oauth2 = new ServletOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrationRepo, new OAuth2AuthorizedClientRepository() { @Override public <T extends OAuth2AuthorizedClient> T loadAuthorizedClient(String s, Authentication authentication, HttpServletRequest httpServletRequest) { return null; } @Override public void saveAuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient, Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { } @Override public void removeAuthorizedClient(String s, Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { } });
 
 

2. 实现 UnAuthenticatedServerOAuth2AuthorizedClientRepository的 Servlet 版本。 UnAuthenticatedServerOAuth2AuthorizedClientRepository GitHub 源，它具有一些基本功能而不是纯无操作。

提供有关 GitHub 问题的反馈可能有助于 Spring Security 团队评估接受 PR 并维护 UnAuthenticatedServerOAuth2AuthorizedClientRepository的 Servlet 版本

我联系了 Spring Security 团队Spring Security 问题 6683，然后在 Spring Security 5.2 中添加了ServerOAuth2AuthorizedClientExchangeFilterFunction的 Servlet 版本，用于非 http 线程。