Skip to content

Instantly share code, notes, and snippets.

@abhi2495

abhi2495/Spring WebFlux Security- Client config - OAuth2.0 Client Credentials Flow.md

Last active October 23, 2024 11:58
Show Gist options
  • Save abhi2495/51ad47394da2effc0fb63f97b3a78e37 to your computer and use it in GitHub Desktop.
Save abhi2495/51ad47394da2effc0fb63f97b3a78e37 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
application.yaml
##################################################################################
##################################################################################
######### IF YOU FOUND THIS GIST USEFUL, PLEASE LEAVE A STAR. THANKS. ############
##################################################################################
##################################################################################
spring:
security:
oauth2:
client:
provider:
<provider-name>:
issuer-uri: <issuer-uri implementing OIDC>
registration:
<provider-name>:
client-id: <client-id>
client-secret: <client-secret>
scope: <comma separated scopes>
authorization-grant-type: client_credentials
OR
spring:
security:
oauth2:
client:
provider:
<provider-name>:
token-uri: <token-uri of provider implementing OIDC>
registration:
<provider-name>:
client-id: <client-id>
client-secret: <client-secret>
scope: <comma separated scopes>
authorization-grant-type: client_credentials
Raw
build.gradle
plugins {
id 'org.springframework.boot' version '2.3.1.RELEASE'
id 'io.spring.dependency-management' version '1.0.9.RELEASE'
id 'java'
}
//Relevant dependencies
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-webflux'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
}
Raw
sample request
webClient.get()
.uri(<protected resource uri which you want to access>)
.attributes(clientRegistrationId(<The Provider name specified under registration in app yaml>))
.retrieve()
.bodyToMono(String.class)
.map(string
-> "Retrieved using Client Credentials Grant Type: " + string)
.subscribe(LOGGER::info);
Raw
Spring WebFlux Security- Client config - OAuth2.0 Client Credentials Flow.md

This gist describes the configuration required for Spring reactive WebClient to make a call to an OAuth2 protected resource through OAuth2.0 Client Credentials Grant Type Flow.

Assumption is that the Authorization Server supports OpenId Connect 1.0 specifications.

Raw
websecurityconfiguration.java
@EnableWebFluxSecurity
public class WebSecurityConfiguration {
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ReactiveOAuth2AuthorizedClientService authorizedClientService) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
@Bean
public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
return WebClient.builder().filter(oauth).build();
}
@Bean
public SecurityWebFilterChain configure(ServerHttpSecurity http) {
return http
.oauth2Client()
.and()
.build();
}
}
@winster
Copy link

winster commented Jul 24, 2020
edited
Loading

done! Without SSL, token is valid though. The problem is that, Resource Server uses http URL for jwt.issuer-uri and it does not match with the URL in the jwt which is https as you rightly pointed out. Simply changing the uri at Resource Server to https, throws SSLHandshakeException. Interestingly, oauth2-client-jose (5.3.3) still uses RestTemplate.
I fixed it by using a (Global) RestTemplate Customizer at Resource Server. But would have been better, if I could build a rest template only for Auth Server.
https://github.com/winster/oauth

@krnbr thanks again. Changing the access token lifespan to 5 minutes, does not generate lot of new sessions at Auth Server

@haydenrear
Copy link

Thanks so much for this! Really helpful.

@rajeevprasanna
Copy link

Can someone help me with this. it is redirecting to relative URL /authorization/{provider} without going through actual redirect link

@sohskd
Copy link

sohskd commented Jun 3, 2021

Hi do you have an example of Spring Cloud Gateway using the Webflux? I have posted a question here https://stackoverflow.com/questions/67801105/spring-cloud-gateway-with-custom-auth-server-client-credentials-flow-with-webcli

@PaoloHi
Copy link

PaoloHi commented Apr 22, 2024

hi , since .oauth2Client() its now actually depracated for Lamabda functions on spring 7 what actually would be the translataion ? or simply would it be obiate it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment