OAuth2RestTemplate 的 Spring Security 5 替换 [英] Spring Security 5 Replacement for OAuth2RestTemplate

问题描述

在 spring-security-oauth2:2.4.0.RELEASE 类中，例如 OAuth2RestTemplate、OAuth2ProtectedResourceDetails 和 ClientCredentialsAccessTokenProvider> 已全部标记为已弃用.

In spring-security-oauth2:2.4.0.RELEASE classes such as OAuth2RestTemplate, OAuth2ProtectedResourceDetails and ClientCredentialsAccessTokenProvider have all been marked as deprecated.

从关于这些类的 javadoc 它指向一个 spring security 迁移指南 暗示人们应该迁移到核心 spring-security 5 项目.但是，我无法找到如何在该项目中实现我的用例.

From the javadoc on these classes it points to a spring security migration guide that insinuates that people should migrate to the core spring-security 5 project. However I'm having trouble finding how I would implement my use case in this project.

如果您希望对应用程序的传入请求进行身份验证并且希望使用第 3 方 OAuth 提供程序来验证身份，则所有文档和示例都讨论了与第 3 部分 OAuth 提供程序集成.

All of the documentation and examples talk about integrating with a 3rd part OAuth provider if you want incoming requests to your application to be authenticated and you want to use the 3rd party OAuth provider to verify the identity.

在我的用例中，我想要做的就是使用 RestTemplate 向受 OAuth 保护的外部服务发出请求.目前，我使用我的客户端 ID 和密码创建了一个 OAuth2ProtectedResourceDetails，并将其传递到 OAuth2RestTemplate.我还有一个自定义的 ClientCredentialsAccessTokenProvider 添加到 OAuth2ResTemplate 中，它只是向我使用的 OAuth 提供程序所需的令牌请求添加了一些额外的标头.

In my use case all I want to do is make a request with a RestTemplate to an external service that is protected by OAuth. Currently I create an OAuth2ProtectedResourceDetails with my client id and secret which I pass into an OAuth2RestTemplate. I also have a custom ClientCredentialsAccessTokenProvider added to the OAuth2ResTemplate that just adds some extra headers to the token request that are required by the OAuth provider I'm using.

在 spring-security 5 文档中，我发现了一个部分提到 自定义令牌请求，但同样是在使用 3rd 方 OAuth 提供程序对传入请求进行身份验证的上下文中.目前尚不清楚您将如何将它与诸如 ClientHttpRequestInterceptor 之类的东西结合使用，以确保对外部服务的每个传出请求首先获得一个令牌，然后将其添加到请求中.

In the spring-security 5 documentation I've found a section that mentions customising the token request, but again that looks to be in the context of authenticating an incoming request with a 3rd party OAuth provider. It is not clear how you would use this in combination with something like a ClientHttpRequestInterceptor to ensure that each outgoing request to an external service first gets a token and then gets that added to the request.

同样在上面链接的迁移指南中，有对 OAuth2AuthorizedClientService 的引用，它说它对于在拦截器中使用很有用，但这看起来又依赖于诸如 ClientRegistrationRepository 之类的东西code> 如果您想使用该提供程序来确保传入请求经过身份验证，它似乎是为第三方提供程序维护注册的地方.

Also in the migration guide linked above there is reference to a OAuth2AuthorizedClientService which it says is useful for using in interceptors, but again this looks like it relies on things like the ClientRegistrationRepository which seems to be where it maintains registrations for third party providers if you want to use that provide to ensure an incoming request is authenticated.

有什么方法可以利用 spring-security 5 中的新功能来注册 OAuth 提供程序，以便获取令牌以添加到我的应用程序的传出请求中吗?

Is there any way I can make use of the new functionality in spring-security 5 for registering OAuth providers in order to get a token to add to outgoing requests from my application?

推荐答案

Spring Security 5.2.x 的 OAuth 2.0 Client 特性不支持 RestTemplate，只支持 WebClient.请参阅 Spring 安全参考:

OAuth 2.0 Client features of Spring Security 5.2.x do not support RestTemplate, but only WebClient. See Spring Security Reference:

HTTP 客户端支持

• WebClient 集成 Servlet 环境(用于请求受保护的资源)

• WebClient integration for Servlet Environments (for requesting protected resources)

此外，RestTemplate 将在未来版本中弃用.见 RestTemplate javadoc:

In addition, RestTemplate will be deprecated in a future version. See RestTemplate javadoc:

注意:从 5.0 开始，非阻塞、反应式org.springframework.web.reactive.client.WebClient 提供了一个现代的RestTemplate 的替代方案，有效支持两者的同步和异步，以及流场景.RestTemplate 将是在未来版本中弃用，不会有主要的新功能添加了前进.请参阅 Spring 框架的 WebClient 部分有关更多详细信息和示例代码的参考文档.

NOTE: As of 5.0, the non-blocking, reactive org.springframework.web.reactive.client.WebClient offers a modern alternative to the RestTemplate with efficient support for both sync and async, as well as streaming scenarios. The RestTemplate will be deprecated in a future version and will not have major new features added going forward. See the WebClient section of the Spring Framework reference documentation for more details and example code.

因此，最好的解决方案是放弃 RestTemplate 而支持 WebClient.

Therefore, the best solution would be to abandon RestTemplate in favor of WebClient.

以编程方式或使用 Spring Boot 自动配置配置客户端注册和提供程序:

Configure client registration and provider either programmatically or using Spring Boot auto-configuration:

spring:
  security:
    oauth2:
      client:
        registration:
          custom:
            client-id: clientId
            client-secret: clientSecret
            authorization-grant-type: client_credentials
        provider:
          custom:
            token-uri: http://localhost:8081/oauth/token

... 和OAuth2AuthorizedClientManager @Bean:

@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
        ClientRegistrationRepository clientRegistrationRepository,
        OAuth2AuthorizedClientRepository authorizedClientRepository) {

    OAuth2AuthorizedClientProvider authorizedClientProvider =
            OAuth2AuthorizedClientProviderBuilder.builder()
                    .clientCredentials()
                    .build();

    DefaultOAuth2AuthorizedClientManager authorizedClientManager =
            new DefaultOAuth2AuthorizedClientManager(
                    clientRegistrationRepository, authorizedClientRepository);
    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

    return authorizedClientManager;
}

配置 WebClient 实例以将 ServerOAuth2AuthorizedClientExchangeFilterFunction 与提供的 OAuth2AuthorizedClientManager 一起使用:

Configure the WebClient instance to use ServerOAuth2AuthorizedClientExchangeFilterFunction with the provided OAuth2AuthorizedClientManager:

@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
    ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
            new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
    oauth2Client.setDefaultClientRegistrationId("custom");
    return WebClient.builder()
            .apply(oauth2Client.oauth2Configuration())
            .build();
}

现在，如果您尝试使用此 WebClient 实例发出请求，它将首先从授权服务器请求令牌并将其包含在请求中.

Now, if you try to make a request using this WebClient instance, it will first request a token from the authorization server and include it in the request.

这篇关于OAuth2RestTemplate 的 Spring Security 5 替换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！