Fil*_*nar 7 spring spring-security spring-webflux
我有一个 Spring Web 应用程序,它有一个为其 API 端点配置的 oauth2 资源服务器,以及一个用于其进行的 REST 调用的完全不同的 oauth2 客户端。oauth2 客户端需要是密码授予类型。用户名和密码是固定的(不是来自 HTTP 请求)。我的问题是,30 分钟后访问令牌和刷新令牌都会过期,因此无法进行刷新。我希望 Spring Security 只会要求新的访问令牌,但没有。它使用过期端点调用 REST 端点,并返回 403。这是我所得到的:
应用程序.yml:
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://our.idp.keycloak.host/auth/realms/firstrealm
client:
registration:
my-client-authorization:
client-id: my_client
client-secret: ${CLIENT_SECRET}
authorization-grant-type: password
scope: openid, profile
provider:
my-client-authorization:
token-uri: https://our.idp.keycloak.host/auth/realms/secondrealm/protocol/openid-connect/token
MyClientConfig.java:
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction;
import org.springframework.web.reactive.function.client.WebClient;
import java.util.Map;
@Configuration
@RequiredArgsConstructor
public class MyClientConfig {
@Bean
WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("my-client-authorization");
return WebClient.builder()
.apply(oauth2Client.oauth2Configuration())
.baseUrl("https://the.api.host.to.call")
.build();
}
@Bean
public OAuth2AuthorizedClientManager authorizedClientManager(
ClientRegistrationRepository clientRegistrationRepository,
OAuth2AuthorizedClientRepository authorizedClientRepository
) {
OAuth2AuthorizedClientProvider authorizedClientProvider = OAuth2AuthorizedClientProviderBuilder.builder()
.password()
.build();
DefaultOAuth2AuthorizedClientManager result = new DefaultOAuth2AuthorizedClientManager(
clientRegistrationRepository,
authorizedClientRepository
);
result.setAuthorizedClientProvider(authorizedClientProvider);
result.setContextAttributesMapper(oAuth2AuthorizeRequest -> Map.of(
OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, "user",
OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, "password"
));
return result;
}
}
API 调用本身:
private <T> T callApi(Function<UriBuilder, URI> uriFunction, Class<T> resultType) {
return this.webClient
.get()
.uri(uriFunction)
.retrieve()
.bodyToMono(resultType)
.block();
}
我第一次调用它时它就起作用了。但 30 分钟后,令牌就失效了,我不知道如何获取新令牌。如果我将其切换为 client_credentials 授予类型,它就会起作用,它会在需要时自动获取新令牌。但由于某种原因,我无法对密码授予类型执行相同的操作。
编辑: 所以我设法解决了这个问题,这要归功于: https: //github.com/spring-projects/spring-security/issues/8831。当我也为刷新令牌配置 WebClient 时,刷新令牌过期时它会崩溃。但是当您之后再次发出请求时,它会获得一个新的令牌。因此,我必须将 API 调用包装在 try catch 中,如果错误是我关心的错误,我会再次调用 API。这不是一个非常优雅的解决方案,但它确实有效。
这里明确提到Spring会在access token过期时自动刷新。
我认为您需要您使用过的“反应式”等效类。请尝试这个片段。
@Configuration
@RequiredArgsConstructor
public class MyClientConfig {
@Bean
WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2Client = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
oauth2Client.setDefaultClientRegistrationId("my-client-authorization");
return WebClient.builder()
.filter(oauth2Client)
.baseUrl("https://the.api.host.to.call")
.build();
}
@Bean
public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
ReactiveClientRegistrationRepository clientRegistrationRepository,
ReactiveOAuth2AuthorizedClientService authorizedClientService
) {
ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.password()
.build();
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager result = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository,
authorizedClientService
);
result.setAuthorizedClientProvider(authorizedClientProvider);
result.setContextAttributesMapper(oAuth2AuthorizeRequest -> Mono.just(Map.of(
OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, "user",
OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, "password"
)));
return result;
}
}
| 归档时间: |
|
| 查看次数: |
9217 次 |
| 最近记录: |