Spring Security 5替换OAuth2RestTemplate [英] Spring Security 5 Replacement for OAuth2RestTemplate
问题描述
在spring-security-oauth2:2.4.0.RELEASE
类中,例如OAuth2RestTemplate
,OAuth2ProtectedResourceDetails
和ClientCredentialsAccessTokenProvider
都已标记为已弃用.
In spring-security-oauth2:2.4.0.RELEASE
classes such as OAuth2RestTemplate
, OAuth2ProtectedResourceDetails
and ClientCredentialsAccessTokenProvider
have all been marked as deprecated.
从这些类上的javadoc指向春季安全性迁移指南,暗示人们应该迁移到春季安全性5核心项目.但是,我在寻找如何在该项目中实现用例时遇到了麻烦.
From the javadoc on these classes it points to a spring security migration guide that insinuates that people should migrate to the core spring-security 5 project. However I'm having trouble finding how I would implement my use case in this project.
如果您希望对应用程序的传入请求进行身份验证,并且希望使用第三方OAuth提供程序来验证身份,则所有文档和示例都讨论与第三部分OAuth提供程序集成.
All of the documentation and examples talk about integrating with a 3rd part OAuth provider if you want incoming requests to your application to be authenticated and you want to use the 3rd party OAuth provider to verify the identity.
在我的用例中,我要做的就是使用RestTemplate
向受OAuth保护的外部服务发出请求.目前,我用客户ID和密码创建一个OAuth2ProtectedResourceDetails
,并将其传递给OAuth2RestTemplate
.我还向OAuth2ResTemplate
添加了一个自定义ClientCredentialsAccessTokenProvider
,该自定义ClientCredentialsAccessTokenProvider
只是向令牌请求添加了一些额外的标头,这些标头是我正在使用的OAuth提供程序所必需的.
In my use case all I want to do is make a request with a RestTemplate
to an external service that is protected by OAuth. Currently I create an OAuth2ProtectedResourceDetails
with my client id and secret which I pass into an OAuth2RestTemplate
. I also have a custom ClientCredentialsAccessTokenProvider
added to the OAuth2ResTemplate
that just adds some extra headers to the token request that are required by the OAuth provider I'm using.
In the spring-security 5 documentation I've found a section that mentions customising the token request, but again that looks to be in the context of authenticating an incoming request with a 3rd party OAuth provider. It is not clear how you would use this in combination with something like a ClientHttpRequestInterceptor
to ensure that each outgoing request to an external service first gets a token and then gets that added to the request.
在上面链接的迁移指南中,还引用了OAuth2AuthorizedClientService
,它说对在拦截器中使用很有用,但是看起来它仍然依赖于ClientRegistrationRepository
之类的东西,它似乎是在其中维护注册的地方对于第三方提供商,如果您想使用该提供商来确保对传入请求进行身份验证.
Also in the migration guide linked above there is reference to a OAuth2AuthorizedClientService
which it says is useful for using in interceptors, but again this looks like it relies on things like the ClientRegistrationRepository
which seems to be where it maintains registrations for third party providers if you want to use that provide to ensure an incoming request is authenticated.
有什么办法可以利用spring-security 5中的新功能来注册OAuth提供程序,以便获得令牌以添加到我的应用程序的传出请求中?
Is there any way I can make use of the new functionality in spring-security 5 for registering OAuth providers in order to get a token to add to outgoing requests from my application?
推荐答案
Spring Security 5.2.x的OAuth 2.0客户端功能不支持RestTemplate
,仅支持WebClient
.参见 Spring安全参考 :
OAuth 2.0 Client features of Spring Security 5.2.x do not support RestTemplate
, but only WebClient
. See Spring Security Reference:
HTTP客户端支持
-
Servlet环境的
-
WebClient
集成(用于请求 受保护的资源)
WebClient
integration for Servlet Environments (for requesting protected resources)
此外,RestTemplate
将在以后的版本中弃用.参见 RestTemplate javadoc :
In addition, RestTemplate
will be deprecated in a future version. See RestTemplate javadoc:
注意::从5.0开始,非阻塞式,反应式
org.springframework.web.reactive.client.WebClient
提供了现代 有效地支持两个同步的RestTemplate
替代 以及异步以及流式传输方案.RestTemplate
将是 在将来的版本中已弃用,并且不会具有主要的新功能 添加了前进的方向.参见Spring框架的WebClient
部分 参考文档以获取更多详细信息和示例代码.
NOTE: As of 5.0, the non-blocking, reactive
org.springframework.web.reactive.client.WebClient
offers a modern alternative to theRestTemplate
with efficient support for both sync and async, as well as streaming scenarios. TheRestTemplate
will be deprecated in a future version and will not have major new features added going forward. See theWebClient
section of the Spring Framework reference documentation for more details and example code.
因此,最好的解决方案是放弃RestTemplate
取而代之的是WebClient
.
Therefore, the best solution would be to abandon RestTemplate
in favor of WebClient
.
以编程方式或使用Spring Boot自动配置来配置客户端注册和提供程序:
Configure client registration and provider either programmatically or using Spring Boot auto-configuration:
spring:
security:
oauth2:
client:
registration:
custom:
client-id: clientId
client-secret: clientSecret
authorization-grant-type: client_credentials
provider:
custom:
token-uri: http://localhost:8081/oauth/token
...和OAuth2AuthorizedClientManager
@Bean
:
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository) {
OAuth2AuthorizedClientProvider authorizedClientProvider =
OAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials()
.build();
DefaultOAuth2AuthorizedClientManager authorizedClientManager =
new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository, authorizedClientRepository);
authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
return authorizedClientManager;
}
配置WebClient
实例以将ServerOAuth2AuthorizedClientExchangeFilterFunction
与提供的OAuth2AuthorizedClientManager
一起使用:
Configure the WebClient
instance to use ServerOAuth2AuthorizedClientExchangeFilterFunction
with the provided OAuth2AuthorizedClientManager
:
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("custom");
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.build();
}
现在,如果您尝试使用此WebClient
实例进行请求,它将首先从授权服务器请求令牌并将其包含在请求中.
Now, if you try to make a request using this WebClient
instance, it will first request a token from the authorization server and include it in the request.
这篇关于Spring Security 5替换OAuth2RestTemplate的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!