Spring Boot Sping Boot 向ServerOAuth2AuthorizedClientExchangeFilterFunction中的WebClient请求添加附加属性

hof1towb  于 2023-11-17  发布在  Spring
关注(0)|答案(5)|浏览(153)

我正在尝试实现client_credentials grant以在我的spring Boot 资源服务器中获取token。我使用Auth 0作为授权服务器。他们似乎需要在请求主体中添加一个额外的参数,称为audience。
我已经尝试通过postman完成请求,并且成功了。我现在正在尝试在Spring中重现它。

  1. curl -X POST \
  2.   https://XXX.auth0.com/oauth/token \
  3.   -H 'Content-Type: application/x-www-form-urlencoded' \
  4.   -d 'grant_type=client_credentials&audience=https%3A%2F%2Fxxxxx.auth0.com%2Fapi%2Fv2%2F&client_id=SOME_CLIENT_ID&client_secret=SOME_CLIENT_SECRET'

字符串
我面临的问题是,我没有办法将缺少的受众参数添加到令牌请求中。
我在我的application.yml中定义了一个配置

  1. client:
  2.     provider:
  3.       auth0:
  4.         issuer-uri: https://XXXX.auth0.com//
  5.     registration:
  6.       auth0-client:
  7.         provider: auth0
  8.         client-id: Client
  9.         client-secret: Secret
  10.         authorization_grant_type: client_credentials
  11.       auth0:
  12.         client-id: Client
  13.         client-secret: Secret


我有这样配置的Web客户端过滤器。

  1. @Bean
  2. WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations,
  3.                     ServerOAuth2AuthorizedClientRepository authorizedClients) {
  4.     ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2 = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
  5.             clientRegistrations, authorizedClients);
  6.     oauth2.setDefaultClientRegistrationId("auth0");
  7.     return WebClient.builder()
  8.             .filter(oauth2)
  9.             .build();
  10. }


我注入示例,并试图做一个请求,以获得用户通过电子邮件

  1. return this.webClient.get()
  2.             .uri(this.usersUrl + "/api/v2/users-by-email?email={email}", email)
  3.             .attributes(auth0ClientCredentials())
  4.             .retrieve()
  5.             .bodyToMono(User.class);


据我所知,过滤器拦截了这个userByEmail请求,在执行它之前,它试图执行/oauth/token请求以获取JWT承载令牌,它可以附加到第一个令牌并执行它。
有没有一种方法来添加一个参数到过滤器?它一直非常困难,通过它,并找出确切的参数被附加,因为它的React和我在这方面相当新。甚至一些指针,在哪里看会有帮助。

spring-boot

5条答案

按热度按时间
ttisahbt

ttisahbt1#

我遇到了同样的问题,访问令牌响应和请求不符合oAuth2标准。下面是我的代码(它在Kotlin中,但对于java开发人员来说也应该是可以理解的),用于spring Boot 版本2.3.6.RELEASE。Gradle依赖项:

  1. implementation(enforcedPlatform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}"))
  2. implementation("org.springframework.boot:spring-boot-starter-webflux")
  3. implementation("org.springframework.boot:spring-boot-starter-oauth2-client")

字符串
在添加它们之后,你必须首先创建你的自定义令牌请求/响应客户端,它将实现ReactiveOAuth2AccessTokenResponseClient接口:

  1. class CustomTokenResponseClient : ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> {
  3.     private val webClient = WebClient.builder().build()
  5.     override fun getTokenResponse(
  6.             authorizationGrantRequest: OAuth2ClientCredentialsGrantRequest
  7.     ): Mono<OAuth2AccessTokenResponse> =
  8.             webClient.post()
  9.                     .uri(authorizationGrantRequest.clientRegistration.providerDetails.tokenUri)
  10.                     .header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
  11.                     .bodyValue(CustomTokenRequest(
  12.                             clientId = authorizationGrantRequest.clientRegistration.clientId,
  13.                             clientSecret = authorizationGrantRequest.clientRegistration.clientSecret
  14.                     ))
  15.                     .exchange()
  16.                     .flatMap { it.bodyToMono<NotStandardTokenResponse>() }
  17.                     .map { it.toOAuth2AccessTokenResponse() }
  19.     private fun NotStandardTokenResponse.toOAuth2AccessTokenResponse() = OAuth2AccessTokenResponse
  20.             .withToken(this.accessToken)
  21.             .refreshToken(this.refreshToken)
  22.             .expiresIn(convertExpirationDateToDuration(this.data.expires).toSeconds())
  23.             .tokenType(OAuth2AccessToken.TokenType.BEARER)
  24.             .build()
  26. }


正如您在上面看到的,在这个类中,您可以根据您的特定需求调整令牌请求/响应处理。
注意事项:getTokenResponse方法中的authorizationGrantRequest参数。Spring在这里传递来自应用程序属性的数据,因此在定义它们时遵循标准,例如,它们可能看起来像这样:

  1. spring:
  2.   security:
  3.     oauth2:
  4.       client:
  5.         registration:
  6.           name-for-oauth-integration:
  7.             authorization-grant-type: client_credentials
  8.             client-id: id
  9.             client-secret: secret
  10.         provider:
  11.           name-for-oauth-integration:
  12.             token-uri: https://oauth.com/token


最后一步是在oAuth2配置中使用CustomTokenResponseClient,它可能看起来像这样:

  1. @Configuration
  2. class CustomOAuth2Configuration {
  4.     @Bean
  5.     fun customOAuth2WebWebClient(clientRegistrations: ReactiveClientRegistrationRepository): WebClient {
  6.         val clientRegistryRepo = InMemoryReactiveClientRegistrationRepository(
  7.                 clientRegistrations.findByRegistrationId("name-for-oauth-integration").block()
  8.         )
  9.         val clientService = InMemoryReactiveOAuth2AuthorizedClientService(clientRegistryRepo)
  11.         val authorizedClientManager =
  12.                 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistryRepo, clientService)
  13.         val authorizedClientProvider = ClientCredentialsReactiveOAuth2AuthorizedClientProvider()
  14.         authorizedClientProvider.setAccessTokenResponseClient(CustomTokenResponseClient())
  15.         authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
  17.         val oauthFilter = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
  18.         oauthFilter.setDefaultClientRegistrationId("name-for-oauth-integration")
  20.         return WebClient.builder()
  21.                 .filter(oauthFilter)
  22.                 .build()
  23.     }
  25. }

展开查看全部
赞(0)分享  回复(0)举报  2023-11-17
b4qexyjb

b4qexyjb2#

现在,这是可能的,但不是优雅的。
请注意,您可以为ServerOAuth2AuthorizedClientExchangeFilterFunction提供自定义的ReactiveOAuth2AccessTokenResponseClient
您可以通过复制WebClientReactiveClientCredentialsTokenResponseClient的内容来创建自己的实现,从而添加所需的任何其他参数。
也就是说,如果有一个setter来使其更方便,那就更好了。

赞(0)分享  回复(0)举报  2023-11-17
igetnqfo

igetnqfo3#

下面是我在进一步调查后发现的。我的问题中描述的代码永远不会调用client_credentials并适合我的用例。我认为(不是100%确定)如果我试图在微服务架构中的多个服务中传播用户提交的令牌,它将在未来非常有用。像这样的动作链浮现在脑海中:
用户调用服务A ->服务A调用服务B ->服务B响应->服务A响应用户请求。
并使用相同的令牌开始与通过整个过程。

我的用例解决方案:

我所做的是在很大程度上基于原始类创建一个新的Filter类,并在执行请求之前执行一个步骤,检查是否存储了可用于Auth 0 Management API的JWT令牌。如果没有,我构建client_credentials grant请求并获取一个,然后把这个token作为一个bearer附加到初始请求上,然后执行那个请求。我还在-内存缓存机制,以便如果令牌有效,以后的任何其他请求都将使用它。

过滤器

  1. public class Auth0ClientCredentialsGrantFilterFunction implements ExchangeFilterFunction {
  3.     private ReactiveClientRegistrationRepository clientRegistrationRepository;
  5.     /**
  6.      * Required by auth0 when requesting a client credentials token
  7.      */
  8.     private String audience;
  10.     private String clientRegistrationId;
  12.     private Auth0InMemoryAccessTokenStore auth0InMemoryAccessTokenStore;
  14.     public Auth0ClientCredentialsGrantFilterFunction(ReactiveClientRegistrationRepository clientRegistrationRepository,
  15.                                                      String clientRegistrationId,
  16.                                                      String audience) {
  17.         this.clientRegistrationRepository = clientRegistrationRepository;
  18.         this.audience = audience;
  19.         this.clientRegistrationId = clientRegistrationId;
  20.         this.auth0InMemoryAccessTokenStore = new Auth0InMemoryAccessTokenStore();
  21.     }
  23.     public void setAuth0InMemoryAccessTokenStore(Auth0InMemoryAccessTokenStore auth0InMemoryAccessTokenStore) {
  24.         this.auth0InMemoryAccessTokenStore = auth0InMemoryAccessTokenStore;
  25.     }
  27.     @Override
  28.     public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next) {
  29.         return auth0ClientCredentialsToken(next)
  30.                 .map(token -> bearer(request, token.getTokenValue()))
  31.                 .flatMap(next::exchange)
  32.                 .switchIfEmpty(next.exchange(request));
  33.     }
  35.     private Mono<OAuth2AccessToken> auth0ClientCredentialsToken(ExchangeFunction next) {
  36.         return Mono.defer(this::loadClientRegistration)
  37.                 .map(clientRegistration -> new ClientCredentialsRequest(clientRegistration, audience))
  38.                 .flatMap(request -> this.auth0InMemoryAccessTokenStore.retrieveToken()
  39.                         .switchIfEmpty(refreshAuth0Token(request, next)));
  40.     }
  42.     private Mono<OAuth2AccessToken> refreshAuth0Token(ClientCredentialsRequest clientCredentialsRequest, ExchangeFunction next) {
  43.         ClientRegistration clientRegistration = clientCredentialsRequest.getClientRegistration();
  44.         String tokenUri = clientRegistration
  45.                 .getProviderDetails().getTokenUri();
  46.         ClientRequest clientCredentialsTokenRequest = ClientRequest.create(HttpMethod.POST, URI.create(tokenUri))
  47.                 .header(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE)
  48.                 .body(clientCredentialsTokenBody(clientCredentialsRequest))
  49.                 .build();
  50.         return next.exchange(clientCredentialsTokenRequest)
  51.                 .flatMap(response -> response.body(oauth2AccessTokenResponse()))
  52.                 .map(OAuth2AccessTokenResponse::getAccessToken)
  53.                 .doOnNext(token -> this.auth0InMemoryAccessTokenStore.storeToken(token));
  54.     }
  56.     private static BodyInserters.FormInserter<String> clientCredentialsTokenBody(ClientCredentialsRequest clientCredentialsRequest) {
  57.         ClientRegistration clientRegistration = clientCredentialsRequest.getClientRegistration();
  58.         return BodyInserters
  59.                 .fromFormData("grant_type", AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
  60.                 .with("client_id", clientRegistration.getClientId())
  61.                 .with("client_secret", clientRegistration.getClientSecret())
  62.                 .with("audience", clientCredentialsRequest.getAudience());
  63.     }
  65.     private Mono<ClientRegistration> loadClientRegistration() {
  66.         return Mono.just(clientRegistrationId)
  67.                 .flatMap(r -> clientRegistrationRepository.findByRegistrationId(r));
  68.     }
  70.     private ClientRequest bearer(ClientRequest request, String token) {
  71.         return ClientRequest.from(request)
  72.                 .headers(headers -> headers.setBearerAuth(token))
  73.                 .build();
  74.     }
  76.     static class ClientCredentialsRequest {
  77.         private final ClientRegistration clientRegistration;
  78.         private final String audience;
  80.         public ClientCredentialsRequest(ClientRegistration clientRegistration, String audience) {
  81.             this.clientRegistration = clientRegistration;
  82.             this.audience = audience;
  83.         }
  85.         public ClientRegistration getClientRegistration() {
  86.             return clientRegistration;
  87.         }
  89.         public String getAudience() {
  90.             return audience;
  91.         }
  92.     }
  94. }

字符串

代币存储

  1. public class Auth0InMemoryAccessTokenStore implements ReactiveInMemoryAccessTokenStore {
  3.     private AtomicReference<OAuth2AccessToken> token = new AtomicReference<>();
  4.     private Clock clock = Clock.systemUTC();
  5.     private Duration accessTokenExpiresSkew = Duration.ofMinutes(1);
  7.     public Auth0InMemoryAccessTokenStore() {
  8.     }
  10.     @Override
  11.     public Mono<OAuth2AccessToken> retrieveToken() {
  12.         return Mono.justOrEmpty(token.get())
  13.                 .filter(Objects::nonNull)
  14.                 .filter(token -> token.getExpiresAt() != null)
  15.                 .filter(token -> {
  16.                     Instant now = this.clock.instant();
  17.                     Instant expiresAt = token.getExpiresAt();
  18.                     if (now.isBefore(expiresAt.minus(this.accessTokenExpiresSkew))) {
  19.                         return true;
  20.                     }
  21.                     return false;
  22.                 });
  23.     }
  25.     @Override
  26.     public Mono<Void> storeToken(OAuth2AccessToken token) {
  27.         this.token.set(token);
  28.         return Mono.empty();
  29.     }
  30. }

令牌存储接口

  1. public interface ReactiveInMemoryAccessTokenStore {
  2.     Mono<OAuth2AccessToken> retrieveToken();
  4.     Mono<Void> storeToken(OAuth2AccessToken token);
  5. }


最后定义并使用这些bean。

  1. @Bean
  2.     public Auth0ClientCredentialsGrantFilterFunction auth0FilterFunction(ReactiveClientRegistrationRepository clientRegistrations,
  3.                                                                          @Value("${auth0.client-registration-id}") String clientRegistrationId,
  4.                                                                          @Value("${auth0.audience}") String audience) {
  5.         return new Auth0ClientCredentialsGrantFilterFunction(clientRegistrations, clientRegistrationId, audience);
  6.     }
  8.     @Bean(name = "auth0-webclient")
  9.     WebClient webClient(Auth0ClientCredentialsGrantFilterFunction filter) {
  10.         return WebClient.builder()
  11.                 .filter(filter)
  12.                 .build();
  13.     }


此时令牌存储有一个小问题,因为client_credentials令牌请求将在同时到来的并行请求上执行多个,但我可以在可预见的未来接受这一点。

展开查看全部
赞(0)分享  回复(0)举报  2023-11-17
fhity93d

fhity93d4#

您的application.yml缺少一个变量:client-authentication-method:post
应该是这样的:

  1. spring:
  2.  security:
  3.   oauth2:
  4.    client:
  5.     provider:
  6.      auth0-client:
  7.       token-uri: https://XXXX.auth0.com//
  8.     registration:
  9.      auth0-client:
  10.       client-id: Client
  11.       client-secret: Secret
  12.       authorization_grant_type: client_credentials
  13.       client-authentication-method: post

字符串
如果没有它,我总是得到“invalid_client”的响应。
在Spring罩2.7.2中进行测试

展开查看全部
赞(0)分享  回复(0)举报  2023-11-17
k2arahey

k2arahey5#

还有另一种方法可以解决这个问题。如果对auth0.com API的client_credentials令牌请求在请求主体中不包括audience字段,那么auth0.com将默认为https://jwtresourceapi。因此,为了能够使用WebClient,上面@DArkO提供的(令人惊叹的)解决方案,您可以在https://jwtresourceapi的受众中使用auth0.com创建所有API。
我不知道你还需要什么,但我所做的只是在auth0.com中定义一个API,我可以有多个应用程序。只要应用程序在API的机器对机器应用程序中被授权,它就可以工作。
请记住,auth0.com只是一个开发者的Playground,我不会用它来创建生产就绪的应用程序。
PS>我还必须在配置文件中包含authorization-grant-type: client_credentials,尽管配置bean示例说我不需要它。也许我稍后会弄清楚,但现在这是有效的。

赞(0)分享  回复(0)举报  2023-11-17
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com