核心接口 / 类

ClientRegistration

ClientRegistration 表示在 OAuth 2.0 或 OpenID Connect 1.0 Provider 注册的客户端。

客户端注册包含的信息,例如 client id, client secret, authorization grant type, redirect URI, scope(s), authorization URI, token URI 等详细信息。

ClientRegistration 及其属性定义如下

public final class ClientRegistration {
	private String registrationId;	(1)
	private String clientId;	(2)
	private String clientSecret;	(3)
	private ClientAuthenticationMethod clientAuthenticationMethod;	(4)
	private AuthorizationGrantType authorizationGrantType;	(5)
	private String redirectUri;	(6)
	private Set<String> scopes;	(7)
	private ProviderDetails providerDetails;
	private String clientName;	(8)

	public class ProviderDetails {
		private String authorizationUri;	(9)
		private String tokenUri;	(10)
		private UserInfoEndpoint userInfoEndpoint;
		private String jwkSetUri;	(11)
		private String issuerUri;	(12)
		private Map<String, Object> configurationMetadata;  (13)

		public class UserInfoEndpoint {
			private String uri;	(14)
			private AuthenticationMethod authenticationMethod;  (15)
			private String userNameAttributeName;	(16)

		}
	}
}
1 registrationId: 唯一标识 ClientRegistration 的 ID。
2 clientId: 客户端标识符。
3 clientSecret: 客户端密钥。
4 clientAuthenticationMethod: 用于客户端向 Provider 进行认证的方法。支持的值有 client_secret_basic, client_secret_post, private_key_jwt, client_secret_jwtnone (公共客户端)
5 authorizationGrantType: OAuth 2.0 授权框架定义了四种 授权许可 (Authorization Grant) 类型。支持的值有 authorization_code, client_credentials, password,以及扩展许可类型 urn:ietf:params:oauth:grant-type:jwt-bearer
6 redirectUri: 客户端注册的重定向 URI,在终端用户认证并授权客户端访问后,授权服务器 将终端用户的用户代理重定向到此 URI。
7 scopes: 在授权请求流程中客户端请求的作用域,例如 openid, email, 或 profile。
8 clientName: 用于客户端的描述性名称。该名称可以在某些场景下使用,例如在自动生成的登录页中显示客户端名称。
9 authorizationUri: 授权服务器的授权端点 URI。
10 tokenUri: 授权服务器的令牌端点 URI。
11 jwkSetUri: 用于从授权服务器检索 JSON Web Key (JWK) Set 的 URI,其中包含用于验证 ID Token 的 JSON Web Signature (JWS) 以及可选的 UserInfo Response 的加密密钥。
12 issuerUri: 返回 OpenID Connect 1.0 provider 或 OAuth 2.0 Authorization Server 的颁发者标识符 URI。
13 configurationMetadata: OpenID Provider 配置信息。只有在配置了 Spring Boot 属性 spring.security.oauth2.client.provider.[providerId].issuerUri 时,此信息才可用。
14 (userInfoEndpoint)uri: 用于访问已认证终端用户的声明/属性的 UserInfo 端点 URI。
15 (userInfoEndpoint)authenticationMethod: 将访问令牌发送到 UserInfo 端点时使用的认证方法。支持的值有 header, formquery
16 userNameAttributeName: UserInfo Response 中返回的引用终端用户名称或标识符的属性名称。

ClientRegistration 最初可以使用 OpenID Connect Provider 的 配置端点 或授权服务器的 元数据端点 的发现功能进行配置。

ClientRegistrations 提供了便捷的方法来以这种方式配置 ClientRegistration,如下例所示

  • Java

  • Kotlin

ClientRegistration clientRegistration =
	ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build();
val clientRegistration = ClientRegistrations.fromIssuerLocation("https://idp.example.com/issuer").build()

上面的代码将按顺序查询 idp.example.com/issuer/.well-known/openid-configuration,然后是 idp.example.com/.well-known/openid-configuration/issuer,最后是 idp.example.com/.well-known/oauth-authorization-server/issuer,并在第一个返回 200 响应时停止。

作为替代方案,您可以使用 ClientRegistrations.fromOidcIssuerLocation() 仅查询 OpenID Connect Provider 的配置端点。

ReactiveClientRegistrationRepository

ReactiveClientRegistrationRepository 作为 OAuth 2.0 / OpenID Connect 1.0 ClientRegistration 的仓库。

客户端注册信息最终存储并归相关授权服务器所有。此仓库提供了检索存储在授权服务器中的主要客户端注册信息子集的功能。

Spring Boot 自动配置将 spring.security.oauth2.client.registration.[registrationId] 下的每个属性绑定到 ClientRegistration 实例,然后将每个 ClientRegistration 实例组合到 ReactiveClientRegistrationRepository 中。

ReactiveClientRegistrationRepository 的默认实现是 InMemoryReactiveClientRegistrationRepository

自动配置还将 ReactiveClientRegistrationRepository 作为 @Bean 注册到 ApplicationContext 中,以便应用程序在需要时可以进行依赖注入。

以下列表显示了一个示例

  • Java

  • Kotlin

@Controller
public class OAuth2ClientController {

	@Autowired
	private ReactiveClientRegistrationRepository clientRegistrationRepository;

	@GetMapping("/")
	public Mono<String> index() {
		return this.clientRegistrationRepository.findByRegistrationId("okta")
				...
				.thenReturn("index");
	}
}
@Controller
class OAuth2ClientController {

    @Autowired
    private lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository

    @GetMapping("/")
    fun index(): Mono<String> {
        return this.clientRegistrationRepository.findByRegistrationId("okta")
            ...
            .thenReturn("index")
    }
}

OAuth2AuthorizedClient

OAuth2AuthorizedClient 代表一个授权客户端。当终端用户(资源所有者)授权客户端访问其受保护资源时,该客户端被视为已授权。

OAuth2AuthorizedClient 的作用是将一个 OAuth2AccessToken(和可选的 OAuth2RefreshToken)关联到 ClientRegistration(客户端)和资源所有者,后者是授予授权的 Principal 终端用户。

ServerOAuth2AuthorizedClientRepository / ReactiveOAuth2AuthorizedClientService

ServerOAuth2AuthorizedClientRepository 负责在 Web 请求之间持久化 OAuth2AuthorizedClient。而 ReactiveOAuth2AuthorizedClientService 的主要作用是在应用层面管理 OAuth2AuthorizedClient

从开发人员的角度来看,ServerOAuth2AuthorizedClientRepositoryReactiveOAuth2AuthorizedClientService 提供了查找与客户端关联的 OAuth2AccessToken 的功能,以便用于发起受保护资源请求。

以下列表显示了一个示例

  • Java

  • Kotlin

@Controller
public class OAuth2ClientController {

	@Autowired
	private ReactiveOAuth2AuthorizedClientService authorizedClientService;

	@GetMapping("/")
	public Mono<String> index(Authentication authentication) {
		return this.authorizedClientService.loadAuthorizedClient("okta", authentication.getName())
				.map(OAuth2AuthorizedClient::getAccessToken)
				...
				.thenReturn("index");
	}
}
@Controller
class OAuth2ClientController {

    @Autowired
    private lateinit var authorizedClientService: ReactiveOAuth2AuthorizedClientService

    @GetMapping("/")
    fun index(authentication: Authentication): Mono<String> {
        return this.authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>("okta", authentication.name)
            .map { it.accessToken }
            ...
            .thenReturn("index")
    }
}

Spring Boot 自动配置会在 ApplicationContext 中注册一个 ServerOAuth2AuthorizedClientRepository 和/或 ReactiveOAuth2AuthorizedClientService @Bean。然而,应用程序可以选择覆盖并注册自定义的 ServerOAuth2AuthorizedClientRepositoryReactiveOAuth2AuthorizedClientService @Bean

ReactiveOAuth2AuthorizedClientService 的默认实现是 InMemoryReactiveOAuth2AuthorizedClientService,它将 OAuth2AuthorizedClient 存储在内存中。

另外,可以配置 R2DBC 实现 R2dbcReactiveOAuth2AuthorizedClientServiceOAuth2AuthorizedClient 持久化到数据库中。

R2dbcReactiveOAuth2AuthorizedClientService 依赖于 OAuth 2.0 Client Schema 中描述的表定义。

ReactiveOAuth2AuthorizedClientManager / ReactiveOAuth2AuthorizedClientProvider

ReactiveOAuth2AuthorizedClientManager 负责 OAuth2AuthorizedClient 的整体管理。

主要职责包括

  • 使用 ReactiveOAuth2AuthorizedClientProvider 授权(或重新授权)OAuth 2.0 客户端。

  • 委托 OAuth2AuthorizedClient 的持久化,通常使用 ReactiveOAuth2AuthorizedClientServiceServerOAuth2AuthorizedClientRepository

  • 当 OAuth 2.0 客户端成功授权(或重新授权)时,委托给 ReactiveOAuth2AuthorizationSuccessHandler

  • 当 OAuth 2.0 客户端授权(或重新授权)失败时,委托给 ReactiveOAuth2AuthorizationFailureHandler

ReactiveOAuth2AuthorizedClientProvider 实现了一种授权(或重新授权)OAuth 2.0 客户端的策略。实现通常会实现某种授权许可类型,例如 authorization_code, client_credentials 等。

ReactiveOAuth2AuthorizedClientManager 的默认实现是 DefaultReactiveOAuth2AuthorizedClientManager,它关联了一个 ReactiveOAuth2AuthorizedClientProvider,该 Provider 可以使用基于委托的复合模式支持多种授权许可类型。可以使用 ReactiveOAuth2AuthorizedClientProviderBuilder 配置和构建基于委托的复合。

以下代码展示了如何配置和构建一个支持 authorization_code, refresh_token, client_credentialspassword 授权许可类型的 ReactiveOAuth2AuthorizedClientProvider 复合

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.authorizationCode()
					.refreshToken()
					.clientCredentials()
					.password()
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .authorizationCode()
            .refreshToken()
            .clientCredentials()
            .password()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}

当授权尝试成功时,DefaultReactiveOAuth2AuthorizedClientManager 将委托给 ReactiveOAuth2AuthorizationSuccessHandler,后者(默认情况下)将通过 ServerOAuth2AuthorizedClientRepository 保存 OAuth2AuthorizedClient。如果重新授权失败,例如刷新令牌不再有效,则先前保存的 OAuth2AuthorizedClient 将通过 RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandlerServerOAuth2AuthorizedClientRepository 中移除。默认行为可以通过 setAuthorizationSuccessHandler(ReactiveOAuth2AuthorizationSuccessHandler)setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler) 进行自定义。

DefaultReactiveOAuth2AuthorizedClientManager 还关联了一个类型为 Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>>contextAttributesMapper,它负责将 OAuth2AuthorizeRequest 中的属性映射到与 OAuth2AuthorizationContext 关联的属性 Map 中。当您需要向 ReactiveOAuth2AuthorizedClientProvider 提供必需(支持)的属性时,这会很有用,例如 PasswordReactiveOAuth2AuthorizedClientProvider 要求资源所有者的 usernamepasswordOAuth2AuthorizationContext.getAttributes() 中可用。

以下代码展示了 contextAttributesMapper 的示例

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.password()
					.refreshToken()
					.build();

	DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new DefaultReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientRepository);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	// Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
	// map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
	authorizedClientManager.setContextAttributesMapper(contextAttributesMapper());

	return authorizedClientManager;
}

private Function<OAuth2AuthorizeRequest, Mono<Map<String, Object>>> contextAttributesMapper() {
	return authorizeRequest -> {
		Map<String, Object> contextAttributes = Collections.emptyMap();
		ServerWebExchange exchange = authorizeRequest.getAttribute(ServerWebExchange.class.getName());
		ServerHttpRequest request = exchange.getRequest();
		String username = request.getQueryParams().getFirst(OAuth2ParameterNames.USERNAME);
		String password = request.getQueryParams().getFirst(OAuth2ParameterNames.PASSWORD);
		if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
			contextAttributes = new HashMap<>();

			// `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
			contextAttributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
			contextAttributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
		}
		return Mono.just(contextAttributes);
	};
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .password()
            .refreshToken()
            .build()
    val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)

    // Assuming the `username` and `password` are supplied as `ServerHttpRequest` parameters,
    // map the `ServerHttpRequest` parameters to `OAuth2AuthorizationContext.getAttributes()`
    authorizedClientManager.setContextAttributesMapper(contextAttributesMapper())
    return authorizedClientManager
}

private fun contextAttributesMapper(): Function<OAuth2AuthorizeRequest, Mono<MutableMap<String, Any>>> {
    return Function { authorizeRequest ->
        var contextAttributes: MutableMap<String, Any> = mutableMapOf()
        val exchange: ServerWebExchange = authorizeRequest.getAttribute(ServerWebExchange::class.java.name)!!
        val request: ServerHttpRequest = exchange.request
        val username: String? = request.queryParams.getFirst(OAuth2ParameterNames.USERNAME)
        val password: String? = request.queryParams.getFirst(OAuth2ParameterNames.PASSWORD)
        if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
            contextAttributes = hashMapOf()

            // `PasswordReactiveOAuth2AuthorizedClientProvider` requires both attributes
            contextAttributes[OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME] = username!!
            contextAttributes[OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME] = password!!
        }
        Mono.just(contextAttributes)
    }
}

DefaultReactiveOAuth2AuthorizedClientManager 设计用于在 ServerWebExchange 的上下文中使用。当在 ServerWebExchange 上下文之外操作时,请使用 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager 代替。

服务应用 是使用 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager 的常见用例。服务应用通常在后台运行,无需任何用户交互,并且通常在系统级账户下运行而非用户账户。配置了 client_credentials 授权许可类型的 OAuth 2.0 客户端可以视为一种服务应用。

以下代码展示了如何配置一个支持 client_credentials 授权许可类型的 AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager 的示例

  • Java

  • Kotlin

@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
		ReactiveClientRegistrationRepository clientRegistrationRepository,
		ReactiveOAuth2AuthorizedClientService authorizedClientService) {

	ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
			ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
					.clientCredentials()
					.build();

	AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
			new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
					clientRegistrationRepository, authorizedClientService);
	authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

	return authorizedClientManager;
}
@Bean
fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientService: ReactiveOAuth2AuthorizedClientService): ReactiveOAuth2AuthorizedClientManager {
    val authorizedClientProvider: ReactiveOAuth2AuthorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build()
    val authorizedClientManager = AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientService)
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
    return authorizedClientManager
}