Spring 引导 Oauth2 客户端(反应式)相互 TLS/SSL 令牌 uri
Spring Boot Oauth2 Client(Reactive) Mutual TLS/SSL token uri
Spring boot 2.3.x 和 Spring 5.x 最近添加了对配置反应式 oauth2 客户端的支持基于 WebClient class.
我有客户端凭据授权流程配置的要求
在没有 Mutual 的情况下进行此调用 TLS/SSL 非常安静。
普通(无TLS/SSL)配置(@Configuration
)代码摘录如下:-
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository){
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
@Bean("testClient")
public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager,
@Value("${test.client.base.url}") String baseUrl) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauthFunction.setDefaultClientRegistrationId("local");
return WebClient.builder()
.baseUrl(baseUrl)
.filter(oauthFunction)
.build();
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.oauth2Client();
return http.build();
}
属性文件
spring.security.oauth2.client.registration.local.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.local.client-id=client_id
spring.security.oauth2.client.registration.local.client-secret=client_secret
spring.security.oauth2.client.provider.local.token-uri=http://hostname:port/oauth/token
test.client.base.url=http://protected-resource/v1/apis
但是通过双向 TLS(客户端证书)调用 oauth2 授权服务器是一件大事。
怎么做?我想与社区分享相同的内容,并在下面自己回答相同的问题
需求的答案和主要变化将在 bean 中 authorizedClientManager
答案的范围仅是客户端凭据授权流程,尽管对其他 oauth2 授权流程的更改应该类似,这也会有所帮助。
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository){
// construct client credential token response client yourself
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient = new WebClientReactiveClientCredentialsTokenResponseClient();
// construct the sslContext as per your needs and inject in below
// and create httpClient by injecting your sslContext here
HttpClient httpClient = HttpClient.create()
.tcpConfiguration(client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000))
.secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);
accessTokenResponseClient.setWebClient(WebClient.builder().clientConnector(httpConnector).build());
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
.builder()
.clientCredentials(c -> {
c.accessTokenResponseClient(accessTokenResponseClient);
}).build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
如果您在此处看到 .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
行
您需要构建 sslContext 并注入它,这完全取决于您的代码设置。
有关详细代码和说明,您可以转到 link here
Spring boot 2.3.x 和 Spring 5.x 最近添加了对配置反应式 oauth2 客户端的支持基于 WebClient class.
我有客户端凭据授权流程配置的要求
在没有 Mutual 的情况下进行此调用 TLS/SSL 非常安静。
普通(无TLS/SSL)配置(@Configuration
)代码摘录如下:-
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository){
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
@Bean("testClient")
public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager,
@Value("${test.client.base.url}") String baseUrl) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauthFunction.setDefaultClientRegistrationId("local");
return WebClient.builder()
.baseUrl(baseUrl)
.filter(oauthFunction)
.build();
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.oauth2Client();
return http.build();
}
属性文件
spring.security.oauth2.client.registration.local.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.local.client-id=client_id
spring.security.oauth2.client.registration.local.client-secret=client_secret
spring.security.oauth2.client.provider.local.token-uri=http://hostname:port/oauth/token
test.client.base.url=http://protected-resource/v1/apis
但是通过双向 TLS(客户端证书)调用 oauth2 授权服务器是一件大事。
怎么做?我想与社区分享相同的内容,并在下面自己回答相同的问题
需求的答案和主要变化将在 bean 中 authorizedClientManager
答案的范围仅是客户端凭据授权流程,尽管对其他 oauth2 授权流程的更改应该类似,这也会有所帮助。
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ServerOAuth2AuthorizedClientRepository authorizedClientRepository){
// construct client credential token response client yourself
WebClientReactiveClientCredentialsTokenResponseClient accessTokenResponseClient = new WebClientReactiveClientCredentialsTokenResponseClient();
// construct the sslContext as per your needs and inject in below
// and create httpClient by injecting your sslContext here
HttpClient httpClient = HttpClient.create()
.tcpConfiguration(client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000))
.secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
ClientHttpConnector httpConnector = new ReactorClientHttpConnector(httpClient);
accessTokenResponseClient.setWebClient(WebClient.builder().clientConnector(httpConnector).build());
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
.builder()
.clientCredentials(c -> {
c.accessTokenResponseClient(accessTokenResponseClient);
}).build();
DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
如果您在此处看到 .secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
您需要构建 sslContext 并注入它,这完全取决于您的代码设置。
有关详细代码和说明,您可以转到 link here