-
Notifications
You must be signed in to change notification settings - Fork 5.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce Reactive OAuth2AuthorizedClient Manager/Provider
Fixes gh-7116
- Loading branch information
Showing
25 changed files
with
2,911 additions
and
269 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
...ework/security/oauth2/client/AuthorizationCodeReactiveOAuth2AuthorizedClientProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import org.springframework.util.Assert; | ||
| import reactor.core.publisher.Mono; | ||
|
|
||
| /** | ||
| * An implementation of a {@link ReactiveOAuth2AuthorizedClientProvider} | ||
| * for the {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} grant. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see ReactiveOAuth2AuthorizedClientProvider | ||
| */ | ||
| public final class AuthorizationCodeReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider { | ||
|
|
||
| /** | ||
| * Attempt to authorize the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}. | ||
| * Returns an empty {@code Mono} if authorization is not supported, | ||
| * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} | ||
| * is not {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} OR the client is already authorized. | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or an empty {@code Mono} if authorization is not supported | ||
| */ | ||
| @Override | ||
| public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
|
|
||
| if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(context.getClientRegistration().getAuthorizationGrantType()) && | ||
| context.getAuthorizedClient() == null) { | ||
| // ClientAuthorizationRequiredException is caught by OAuth2AuthorizationRequestRedirectWebFilter which initiates authorization | ||
| return Mono.error(() -> new ClientAuthorizationRequiredException(context.getClientRegistration().getRegistrationId())); | ||
| } | ||
| return Mono.empty(); | ||
| } | ||
| } |
108 changes: 108 additions & 0 deletions
108
...ework/security/oauth2/client/ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest; | ||
| import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient; | ||
| import org.springframework.security.oauth2.client.endpoint.WebClientReactiveClientCredentialsTokenResponseClient; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.core.AbstractOAuth2Token; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import org.springframework.util.Assert; | ||
| import reactor.core.publisher.Mono; | ||
|
|
||
| import java.time.Duration; | ||
| import java.time.Instant; | ||
|
|
||
| /** | ||
| * An implementation of a {@link ReactiveOAuth2AuthorizedClientProvider} | ||
| * for the {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} grant. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see ReactiveOAuth2AuthorizedClientProvider | ||
| * @see WebClientReactiveClientCredentialsTokenResponseClient | ||
| */ | ||
| public final class ClientCredentialsReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider { | ||
| private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient = | ||
| new WebClientReactiveClientCredentialsTokenResponseClient(); | ||
| private Duration clockSkew = Duration.ofSeconds(60); | ||
|
|
||
| /** | ||
| * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}. | ||
| * Returns an empty {@code Mono} if authorization (or re-authorization) is not supported, | ||
| * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} | ||
| * is not {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} OR | ||
| * the {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired. | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or an empty {@code Mono} if authorization (or re-authorization) is not supported | ||
| */ | ||
| @Override | ||
| public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
|
|
||
| ClientRegistration clientRegistration = context.getClientRegistration(); | ||
| if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) { | ||
| return Mono.empty(); | ||
| } | ||
|
|
||
| OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient(); | ||
| if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) { | ||
| // If client is already authorized but access token is NOT expired than no need for re-authorization | ||
| return Mono.empty(); | ||
| } | ||
|
|
||
| // As per spec, in section 4.4.3 Access Token Response | ||
| // https://tools.ietf.org/html/rfc6749#section-4.4.3 | ||
| // A refresh token SHOULD NOT be included. | ||
| // | ||
| // Therefore, renewing an expired access token (re-authorization) | ||
| // is the same as acquiring a new access token (authorization). | ||
|
|
||
| return Mono.just(new OAuth2ClientCredentialsGrantRequest(clientRegistration)) | ||
| .flatMap(this.accessTokenResponseClient::getTokenResponse) | ||
| .map(tokenResponse -> new OAuth2AuthorizedClient( | ||
| clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken())); | ||
| } | ||
|
|
||
| private boolean hasTokenExpired(AbstractOAuth2Token token) { | ||
| return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew)); | ||
| } | ||
|
|
||
| /** | ||
| * Sets the client used when requesting an access token credential at the Token Endpoint for the {@code client_credentials} grant. | ||
| * | ||
| * @param accessTokenResponseClient the client used when requesting an access token credential at the Token Endpoint for the {@code client_credentials} grant | ||
| */ | ||
| public void setAccessTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient) { | ||
| Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null"); | ||
| this.accessTokenResponseClient = accessTokenResponseClient; | ||
| } | ||
|
|
||
| /** | ||
| * Sets the maximum acceptable clock skew, which is used when checking the | ||
| * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds. | ||
| * An access token is considered expired if it's before {@code Instant.now() - clockSkew}. | ||
| * | ||
| * @param clockSkew the maximum acceptable clock skew | ||
| */ | ||
| public void setClockSkew(Duration clockSkew) { | ||
| Assert.notNull(clockSkew, "clockSkew cannot be null"); | ||
| Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0"); | ||
| this.clockSkew = clockSkew; | ||
| } | ||
| } |
70 changes: 70 additions & 0 deletions
70
...ingframework/security/oauth2/client/DelegatingReactiveOAuth2AuthorizedClientProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.util.Assert; | ||
| import reactor.core.publisher.Flux; | ||
| import reactor.core.publisher.Mono; | ||
|
|
||
| import java.util.ArrayList; | ||
| import java.util.Arrays; | ||
| import java.util.Collections; | ||
| import java.util.List; | ||
|
|
||
| /** | ||
| * An implementation of a {@link ReactiveOAuth2AuthorizedClientProvider} that simply delegates | ||
| * to it's internal {@code List} of {@link ReactiveOAuth2AuthorizedClientProvider}(s). | ||
| * <p> | ||
| * Each provider is given a chance to | ||
| * {@link ReactiveOAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext) authorize} | ||
| * the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided context | ||
| * with the first available {@link OAuth2AuthorizedClient} being returned. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see ReactiveOAuth2AuthorizedClientProvider | ||
| */ | ||
| public final class DelegatingReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider { | ||
| private final List<ReactiveOAuth2AuthorizedClientProvider> authorizedClientProviders; | ||
|
|
||
| /** | ||
| * Constructs a {@code DelegatingReactiveOAuth2AuthorizedClientProvider} using the provided parameters. | ||
| * | ||
| * @param authorizedClientProviders a list of {@link ReactiveOAuth2AuthorizedClientProvider}(s) | ||
| */ | ||
| public DelegatingReactiveOAuth2AuthorizedClientProvider(ReactiveOAuth2AuthorizedClientProvider... authorizedClientProviders) { | ||
| Assert.notEmpty(authorizedClientProviders, "authorizedClientProviders cannot be empty"); | ||
| this.authorizedClientProviders = Collections.unmodifiableList(Arrays.asList(authorizedClientProviders)); | ||
| } | ||
|
|
||
| /** | ||
| * Constructs a {@code DelegatingReactiveOAuth2AuthorizedClientProvider} using the provided parameters. | ||
| * | ||
| * @param authorizedClientProviders a {@code List} of {@link OAuth2AuthorizedClientProvider}(s) | ||
| */ | ||
| public DelegatingReactiveOAuth2AuthorizedClientProvider(List<ReactiveOAuth2AuthorizedClientProvider> authorizedClientProviders) { | ||
| Assert.notEmpty(authorizedClientProviders, "authorizedClientProviders cannot be empty"); | ||
| this.authorizedClientProviders = Collections.unmodifiableList(new ArrayList<>(authorizedClientProviders)); | ||
| } | ||
|
|
||
| @Override | ||
| public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
| return Flux.fromIterable(this.authorizedClientProviders) | ||
| .concatMap(authorizedClientProvider -> authorizedClientProvider.authorize(context)) | ||
| .next(); | ||
| } | ||
| } |
44 changes: 44 additions & 0 deletions
44
...va/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import reactor.core.publisher.Mono; | ||
|
|
||
| /** | ||
| * A strategy for authorizing (or re-authorizing) an OAuth 2.0 Client. | ||
| * Implementations will typically implement a specific {@link AuthorizationGrantType authorization grant} type. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see OAuth2AuthorizedClient | ||
| * @see OAuth2AuthorizationContext | ||
| * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-1.3">Section 1.3 Authorization Grant</a> | ||
| */ | ||
| public interface ReactiveOAuth2AuthorizedClientProvider { | ||
|
|
||
| /** | ||
| * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided context. | ||
| * Implementations must return an empty {@code Mono} if authorization is not supported for the specified client, | ||
| * e.g. the provider doesn't support the {@link ClientRegistration#getAuthorizationGrantType() authorization grant} type configured for the client. | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or an empty {@code Mono} if authorization is not supported for the specified client | ||
| */ | ||
| Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context); | ||
|
|
||
| } |
Oops, something went wrong.