Spring 引導 Oauth2 客戶端（反應式）相互 TLS/SSL 令牌 uri

Question

Spring boot 2.3.x 和 Spring 5.x 最近添加了對基於WebClient class 配置響應式 oauth2 客戶端的支持。

我需要客戶端憑據授予流程配置

在沒有 Mutual TLS/SSL 的情況下進行此調用非常簡單。

正常（沒有 TLS/SSL）配置（ @Configuration ）代碼提取如下：-

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ServerOAuth2AuthorizedClientRepository authorizedClientRepository){

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build();

    DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

@Bean("testClient")
public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager,
                           @Value("${test.client.base.url}") String baseUrl) {
    ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
    oauthFunction.setDefaultClientRegistrationId("local");
    return WebClient.builder()
            .baseUrl(baseUrl)
            .filter(oauthFunction)
            .build();
}

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.oauth2Client();
    return http.build();
}

屬性文件

spring.security.oauth2.client.registration.local.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.local.client-id=client_id
spring.security.oauth2.client.registration.local.client-secret=client_secret

spring.security.oauth2.client.provider.local.token-uri=http://hostname:port/oauth/token
test.client.base.url=http://protected-resource/v1/apis

但是通過 Mutual TLS（客戶端證書）調用 oauth2 授權服務器是一件大事。

怎么做？ 我想與社區分享相同的內容，並在下面自己回答

Answer 1

需求的答案和主要變化將在bean authorizedClientManager中

答案的 scope 是客戶端憑據授予流程，盡管其他 oauth2 授予流程的更改應該相似，這也將有所幫助。

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
        ReactiveClientRegistrationRepository clientRegistrationRepository,
        ServerOAuth2AuthorizedClientRepository authorizedClientRepository){

    // construct client credential token response client yourself
    WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient = new WebClientReactiveClientCredentialsTokenResponseClient();

    // construct the sslContext as per your needs and inject in below
    // and create httpClient by injecting your sslContext here
    HttpClient httpClient = HttpClient.create()
            .tcpConfiguration(client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000))
            .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

    ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);

    accessTokenResponseClient.setWebClient(WebClient.builder().clientConnector(httpConnector).build());

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
            .builder()
            .clientCredentials(c -> {
                c.accessTokenResponseClient(accessTokenResponseClient);
            }).build();

    DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
    return authorizedClientManager;
}

在這里，如果您看到.secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));

您需要構建 sslContext 並注入相同的內容，這完全取決於您的代碼設置。

有關詳細代碼和說明，您可以 go 到此處的鏈接