| ################################################################################## | |
| ################################################################################## | |
| ######### IF YOU FOUND THIS GIST USEFUL, PLEASE LEAVE A STAR. THANKS. ############ | |
| ################################################################################## | |
| ################################################################################## | |
| spring: | |
| security: | |
| oauth2: | |
| client: | |
| provider: | |
| <provider-name>: | |
| issuer-uri: <issuer-uri implementing OIDC> | |
| registration: | |
| <provider-name>: | |
| client-id: <client-id> | |
| client-secret: <client-secret> | |
| scope: <comma separated scopes> | |
| authorization-grant-type: client_credentials | |
| OR | |
| spring: | |
| security: | |
| oauth2: | |
| client: | |
| provider: | |
| <provider-name>: | |
| token-uri: <token-uri of provider implementing OIDC> | |
| registration: | |
| <provider-name>: | |
| client-id: <client-id> | |
| client-secret: <client-secret> | |
| scope: <comma separated scopes> | |
| authorization-grant-type: client_credentials |
| plugins { | |
| id 'org.springframework.boot' version '2.3.1.RELEASE' | |
| id 'io.spring.dependency-management' version '1.0.9.RELEASE' | |
| id 'java' | |
| } | |
| //Relevant dependencies | |
| dependencies { | |
| implementation 'org.springframework.boot:spring-boot-starter-webflux' | |
| implementation 'org.springframework.boot:spring-boot-starter-oauth2-client' | |
| } |
| webClient.get() | |
| .uri(<protected resource uri which you want to access>) | |
| .attributes(clientRegistrationId(<The Provider name specified under registration in app yaml>)) | |
| .retrieve() | |
| .bodyToMono(String.class) | |
| .map(string | |
| -> "Retrieved using Client Credentials Grant Type: " + string) | |
| .subscribe(LOGGER::info); |
This gist describes the configuration required for Spring reactive WebClient to make a call to an OAuth2 protected resource through OAuth2.0 Client Credentials Grant Type Flow.
Assumption is that the Authorization Server supports OpenId Connect 1.0 specifications.
| @EnableWebFluxSecurity | |
| public class WebSecurityConfiguration { | |
| @Bean | |
| public ReactiveOAuth2AuthorizedClientManager authorizedClientManager( | |
| ReactiveClientRegistrationRepository clientRegistrationRepository, | |
| ReactiveOAuth2AuthorizedClientService authorizedClientService) { | |
| ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = | |
| ReactiveOAuth2AuthorizedClientProviderBuilder.builder() | |
| .clientCredentials() | |
| .build(); | |
| AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager = | |
| new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager( | |
| clientRegistrationRepository, authorizedClientService); | |
| authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider); | |
| return authorizedClientManager; | |
| } | |
| @Bean | |
| public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) { | |
| ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); | |
| return WebClient.builder().filter(oauth).build(); | |
| } | |
| @Bean | |
| public SecurityWebFilterChain configure(ServerHttpSecurity http) { | |
| return http | |
| .oauth2Client() | |
| .and() | |
| .build(); | |
| } | |
| } |
Do clap on that page. I actually invested time writing that one..
resource server means that the access token's issuer is not matching as per the JWT based access token you are sending, which is the issuer claim configured in the access token.
And it is not matching the issuers allowed in resource server.
I guess one minute is less for the access token..
you should try to increase the expiry, like practically i did a expiry of token for 2 hours and it was working flawlessly.. Do not know the case of AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager
done! Without SSL, token is valid though. The problem is that, Resource Server uses http URL for jwt.issuer-uri and it does not match with the URL in the jwt which is https as you rightly pointed out. Simply changing the uri at Resource Server to https, throws SSLHandshakeException. Interestingly, oauth2-client-jose (5.3.3) still uses RestTemplate.
I fixed it by using a (Global) RestTemplate Customizer at Resource Server. But would have been better, if I could build a rest template only for Auth Server.
https://github.com/winster/oauth
@krnbr thanks again. Changing the access token lifespan to 5 minutes, does not generate lot of new sessions at Auth Server
Thanks so much for this! Really helpful.
Can someone help me with this. it is redirecting to relative URL /authorization/{provider} without going through actual redirect link
Hi do you have an example of Spring Cloud Gateway using the Webflux? I have posted a question here https://stackoverflow.com/questions/67801105/spring-cloud-gateway-with-custom-auth-server-client-credentials-flow-with-webcli
hi , since .oauth2Client() its now actually depracated for Lamabda functions on spring 7 what actually would be the translataion ? or simply would it be obiate it ?
@krnbr, that was very handy. Thanks! Now sslhandshake with auth server is successful and a new token is issued every time. But resource server says 401, logs say
An error occurred while attempting to decode the Jwt: The iss claim is not valid. Debugging on that.Regarding my 4th point, what do you think? How can we make authorizedClientManager to request a new token only if Resource Server says invalid token?