-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UnAuthenticatedServerOAuth2AuthorizedClientRepository cannot be used within running request handlers #6888
Comments
I can see a need for client_credential protected resources to be accessible both during and outside of a user request. To keep my complexity low, Id like to reuse WebClient instances, especially if they are wrapped by a business-oriented class. Therefore, I think being able to use this repository in both cases is beneficial. Especially since the other implementations of |
For web applications, you should be using I'm going to close this issue as works as designed. We can re-open if you are still having issues with your setup. |
I have the same problems as the author mentions. I can't understand why this ticket is closed with the reason work as designed, because I think a framework like Spring should be able to distinguish this internally. In addition, the behavior changes completely if I add the dependency org.springframework.boot:spring-boot-starter-security, because without it it works. My only chance is to write my own Oauth Client flow (not to mention things like #5893 ). That can't be right IMHO. |
@awilhelmer It's not totally clear to me the issue you are having as you mention more than one thing? Also, questions should be posted on StackOverflow. If you have an issue with a specific feature or are looking for a new feature than please log a new issue instead of posting to a closed issue. Have you read up on the reference documentation to see what features are available? I would recommend starting here. |
Summary
UnAuthenticatedServerOAuth2AuthorizedClientRepository
throws an assertion failure becauseServerWebExchange
is not null when trying to use a client_credential protected resource during a web request. The associatedOAuth2AuthorizedClientResolver
ends up grabbing and providing the current ServerWebExchange from the current context.Actual Behavior
I attempted to use an
UnAuthenticatedServerOAuth2AuthorizedClientRepository
instance for a oauth2 server exchange filter function to let me use client_credential access tokens during the processing of a users request. This was described by several publications as a viable choice for client_credential type flows. As stated above, this causesUnAuthenticatedServerOAuth2AuthorizedClientRepository
to fail an assertion that the ServerWebExchange is null. I was able to trace the ServerWebExchange attribute from the ClientRequest and tracked it toOAuth2AuthorizedClientResolver.currentServerWebExchange()
.Expected Behavior
I was expecting no failed assertion.
Workaround/Potential solution
Remove Assertion that current server web exchange is null, if this type of repository should be allowed within a user request.
Configuration
Spring WebFlux with Netty
Spring Boot 2.1.5
Spring Security 5.1.7
Related Question
It seems that according to the java docs for
UnAuthenticatedServerOAuth2AuthorizedClientRepository
, I am using the class correctly, but it may really only should be used during server to server communication outside of a user request process.The text was updated successfully, but these errors were encountered: