Spring Security 5替换OAuth2RestTemplate [英] Spring Security 5 Replacement for OAuth2RestTemplate
问题描述
在spring-security-oauth2:2.4.0.RELEASE类中,例如OAuth2RestTemplate,OAuth2ProtectedResourceDetails和ClientCredentialsAccessTokenProvider都已标记为已弃用.
In spring-security-oauth2:2.4.0.RELEASE classes such as OAuth2RestTemplate, OAuth2ProtectedResourceDetails and ClientCredentialsAccessTokenProvider have all been marked as deprecated.
从这些类上的javadoc指向春季安全性迁移指南,暗示人们应该迁移到春季安全性5核心项目.但是,我在寻找如何在该项目中实现用例时遇到了麻烦.
From the javadoc on these classes it points to a spring security migration guide that insinuates that people should migrate to the core spring-security 5 project. However I'm having trouble finding how I would implement my use case in this project.
如果您希望对应用程序的传入请求进行身份验证,并且希望使用第三方OAuth提供程序来验证身份,则所有文档和示例都讨论与第三部分OAuth提供程序集成.
All of the documentation and examples talk about integrating with a 3rd part OAuth provider if you want incoming requests to your application to be authenticated and you want to use the 3rd party OAuth provider to verify the identity.
在我的用例中,我要做的就是使用RestTemplate向受OAuth保护的外部服务发出请求.目前,我用客户ID和密码创建一个OAuth2ProtectedResourceDetails,并将其传递给OAuth2RestTemplate.我还向OAuth2ResTemplate添加了一个自定义ClientCredentialsAccessTokenProvider,该自定义ClientCredentialsAccessTokenProvider只是向令牌请求添加了一些额外的标头,这些标头是我正在使用的OAuth提供程序所必需的.
In my use case all I want to do is make a request with a RestTemplate to an external service that is protected by OAuth. Currently I create an OAuth2ProtectedResourceDetails with my client id and secret which I pass into an OAuth2RestTemplate. I also have a custom ClientCredentialsAccessTokenProvider added to the OAuth2ResTemplate that just adds some extra headers to the token request that are required by the OAuth provider I'm using.
In the spring-security 5 documentation I've found a section that mentions customising the token request, but again that looks to be in the context of authenticating an incoming request with a 3rd party OAuth provider. It is not clear how you would use this in combination with something like a ClientHttpRequestInterceptor to ensure that each outgoing request to an external service first gets a token and then gets that added to the request.
在上面链接的迁移指南中,还引用了OAuth2AuthorizedClientService,它说对在拦截器中使用很有用,但是看起来它仍然依赖于ClientRegistrationRepository之类的东西,它似乎是在其中维护注册的地方对于第三方提供商,如果您想使用该提供商来确保对传入请求进行身份验证.
Also in the migration guide linked above there is reference to a OAuth2AuthorizedClientService which it says is useful for using in interceptors, but again this looks like it relies on things like the ClientRegistrationRepository which seems to be where it maintains registrations for third party providers if you want to use that provide to ensure an incoming request is authenticated.
有什么办法可以利用spring-security 5中的新功能来注册OAuth提供程序,以便获得令牌以添加到我的应用程序的传出请求中?
Is there any way I can make use of the new functionality in spring-security 5 for registering OAuth providers in order to get a token to add to outgoing requests from my application?
推荐答案
Spring Security 5.2.x的OAuth 2.0客户端功能不支持RestTemplate,仅支持WebClient.参见 Spring安全参考 :
OAuth 2.0 Client features of Spring Security 5.2.x do not support RestTemplate, but only WebClient. See Spring Security Reference:
HTTP客户端支持
-
Servlet环境的
-
WebClient集成(用于请求 受保护的资源)
WebClientintegration for Servlet Environments (for requesting protected resources)
此外,RestTemplate将在以后的版本中弃用.参见 RestTemplate javadoc :
In addition, RestTemplate will be deprecated in a future version. See RestTemplate javadoc:
注意::从5.0开始,非阻塞式,反应式
org.springframework.web.reactive.client.WebClient提供了现代 有效地支持两个同步的RestTemplate替代 以及异步以及流式传输方案.RestTemplate将是 在将来的版本中已弃用,并且不会具有主要的新功能 添加了前进的方向.参见Spring框架的WebClient部分 参考文档以获取更多详细信息和示例代码.
NOTE: As of 5.0, the non-blocking, reactive
org.springframework.web.reactive.client.WebClientoffers a modern alternative to theRestTemplatewith efficient support for both sync and async, as well as streaming scenarios. TheRestTemplatewill be deprecated in a future version and will not have major new features added going forward. See theWebClientsection of the Spring Framework reference documentation for more details and example code.
因此,最好的解决方案是放弃RestTemplate取而代之的是WebClient.
Therefore, the best solution would be to abandon RestTemplate in favor of WebClient.
以编程方式或使用Spring Boot自动配置来配置客户端注册和提供程序:
Configure client registration and provider either programmatically or using Spring Boot auto-configuration:
spring:
security:
oauth2:
client:
registration:
custom:
client-id: clientId
client-secret: clientSecret
authorization-grant-type: client_credentials
provider:
custom:
token-uri: http://localhost:8081/oauth/token
...和OAuth2AuthorizedClientManager @Bean:
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
配置WebClient实例以将ServerOAuth2AuthorizedClientExchangeFilterFunction与提供的OAuth2AuthorizedClientManager一起使用:
Configure the WebClient instance to use ServerOAuth2AuthorizedClientExchangeFilterFunction with the provided OAuth2AuthorizedClientManager:
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("custom");
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}
现在,如果您尝试使用此WebClient实例进行请求,它将首先从授权服务器请求令牌并将其包含在请求中.
Now, if you try to make a request using this WebClient instance, it will first request a token from the authorization server and include it in the request.
这篇关于Spring Security 5替换OAuth2RestTemplate的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
