Spring 引导 Oauth2 客户端（反应式）相互 TLS/SSL 令牌 uri

Question

Spring boot 2.3.x 和 Spring 5.x 最近添加了对基于WebClient class 配置响应式 oauth2 客户端的支持。

我需要客户端凭据授予流程配置

在没有 Mutual TLS/SSL 的情况下进行此调用非常简单。

正常（没有 TLS/SSL）配置（ @Configuration ）代码提取如下：-

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ServerOAuth2AuthorizedClientRepository authorizedClientRepository){

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build();

    DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

@Bean("testClient")
public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager,
                           @Value("${test.client.base.url}") String baseUrl) {
    ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
    oauthFunction.setDefaultClientRegistrationId("local");
    return WebClient.builder()
            .baseUrl(baseUrl)
            .filter(oauthFunction)
            .build();
}

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.oauth2Client();
    return http.build();
}

属性文件

spring.security.oauth2.client.registration.local.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.local.client-id=client_id
spring.security.oauth2.client.registration.local.client-secret=client_secret

spring.security.oauth2.client.provider.local.token-uri=http://hostname:port/oauth/token
test.client.base.url=http://protected-resource/v1/apis

但是通过 Mutual TLS（客户端证书）调用 oauth2 授权服务器是一件大事。

怎么做？ 我想与社区分享相同的内容，并在下面自己回答

Answer 1

需求的答案和主要变化将在bean authorizedClientManager中

答案的 scope 是客户端凭据授予流程，尽管其他 oauth2 授予流程的更改应该相似，这也将有所帮助。

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ServerOAuth2AuthorizedClientRepository authorizedClientRepository){

    // construct client credential token response client yourself
    WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient = new WebClientReactiveClientCredentialsTokenResponseClient();

    // construct the sslContext as per your needs and inject in below
    // and create httpClient by injecting your sslContext here
    HttpClient httpClient = HttpClient.create()
            .tcpConfiguration(client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000))
            .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

    ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);

    accessTokenResponseClient.setWebClient(WebClient.builder().clientConnector(httpConnector).build());

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
            .builder()
            .clientCredentials(c -> {
                c.accessTokenResponseClient(accessTokenResponseClient);
            }).build();

    DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

在这里，如果您看到.secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

您需要构建 sslContext 并注入相同的内容，这完全取决于您的代码设置。

有关详细代码和说明，您可以 go 到此处的链接