How to add multiple client credentials on spring boot webclient using webflux - spring

Currently my setup as following.
#Configuration
public class Oauth2WebClientConfig {
private final Environment env;
#Autowired
public Oauth2WebClientConfig(Environment env) {
this.env = env;
}
// == Oauth2 Configuration ==
#Bean
ReactiveClientRegistrationRepository clientRegistration() {
ClientRegistration clientRegistration = ClientRegistration
.withRegistrationId("custom")
.tokenUri(env.getProperty("accessTokenUri"))
.clientId(env.getProperty("clientID"))
.clientSecret(env.getProperty("clientSecret"))
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope(env.getProperty("scope"))
.build();
return new InMemoryReactiveClientRegistrationRepository(clientRegistration);
}
#Bean
ReactiveOAuth2AuthorizedClientService authorizedClientService() {
return new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistration());
}
// == Oauth2 Configuration ==
// == WebFlux Configuration ==
#Bean
WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations, ReactiveOAuth2AuthorizedClientService authorizedClientService) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations, authorizedClientService));
oauth.setDefaultClientRegistrationId("custom");
return WebClient.builder()
.filter(oauth)
.build();
}
// == WebFlux Configuration ==
}
I need to add multiple client credentials is there a way to do it without creating multiple ReactiveClientRegistrationRepository bean & WebClient bean?

Related

How I do pass parameter to configuration bean in Kotlin

I have declared OAuthClientConfiguration setting for WebClient using ReactiveClientRegistrationRepository. But I need to pass some params from service (MyService)
WebClientConfiguration defines as follows:
#Configuration
class WebClientConfiguration {
#Bean
fun clientRegistrations(credentials: Credentials):ReactiveClientRegistrationRepository? {
val registration = ClientRegistration
.withRegistrationId("okta")
.tokenUri(access_token)
.clientId(credentials.client_id)
.clientSecret(credentials.client_secret)
.scope(credentials.scope)
.authorizationGrantType(AuthorizationGrantType(authorizationGrantType))
.build()
return InMemoryReactiveClientRegistrationRepository(registration)
}
#Bean
fun webClient(clientRegistrations: ReactiveClientRegistrationRepository?): WebClient? {
val clientService = InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrations)
val authorizedClientManager =
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations, clientService)
val oauth = ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager)
oauth.setDefaultClientRegistrationId("okta")
return WebClient.builder()
.filter(oauth)
.build()
}
}
And WebClient calling is defined as follows:
#Service
class MyService (private val webClient: WebClient) {
fun doRequest(): String? {
return webClient.get()
.retrieve()
}
}
How I do pass the credentials to the configuration beans

spring cloud gateway oauth2 insert dynamic oauth2 configs

how can I inject a configuration dynamic in the spring boot security context ?
the object look like:
ClientRegistration clientRegistration = ClientRegistration
.withRegistrationId(realmName)
.clientId(keycloak.getClientGlbId())
.clientSecret(keycloak.getClientGlbSecret())
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri(keycloak.getClientGlbRedirectUri())
.issuerUri(keycloak.getClientGlbIssuerUri().concat(realmName))
.authorizationUri(keycloak.getHost().concat("realms").concat(realmName).concat("/protocol/openid-connect/auth"))
.userInfoUri(keycloak.getHost().concat("realms").concat(realmName).concat("/protocol/openid-connect/userinfo"))
.tokenUri(keycloak.getHost().concat("realms").concat(realmName).concat("/protocol/openid-connect/token"))
.build();
on runtime this is working
#Bean
public ReactiveClientRegistrationRepository clientRegistrationRepository() {
return new InMemoryReactiveClientRegistrationRepository(this.googleClientRegistration());
}
private ClientRegistration googleClientRegistration() {
return ClientRegistration.withRegistrationId("google")
.clientId("google-client-id")
.clientSecret("google-client-secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
.scope("openid", "profile", "email", "address", "phone")
.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
.tokenUri("https://www.googleapis.com/oauth2/v4/token")
.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
.userNameAttributeName(IdTokenClaimNames.SUB)
.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
.clientName("Google")
.build();
}
also discovered after analyzing on the source code of org.springframework.boot.autoconfigure.security.oauth2.client ClientsConfiguredCondition that the env spring.security.oauth2.client.registration is keeping all the oauth2 configs.
private static final Bindable<Map<String, OAuth2ClientProperties.Registration>> STRING_REGISTRATION_MAP = Bindable
.mapOf(String.class, OAuth2ClientProperties.Registration.class);
#Override
public ConditionOutcome getMatchOutcome(ConditionContext context, AnnotatedTypeMetadata metadata) {
ConditionMessage.Builder message = ConditionMessage.forCondition("OAuth2 Clients Configured Condition");
Map<String, OAuth2ClientProperties.Registration> registrations = getRegistrations(context.getEnvironment());
if (!registrations.isEmpty()) {
return ConditionOutcome.match(message.foundExactly("registered clients " + registrations.values().stream()
.map(OAuth2ClientProperties.Registration::getClientId).collect(Collectors.joining(", "))));
}
return ConditionOutcome.noMatch(message.notAvailable("registered clients"));
}
private Map<String, OAuth2ClientProperties.Registration> getRegistrations(Environment environment) {
return Binder.get(environment).bind("spring.security.oauth2.client.registration", STRING_REGISTRATION_MAP)
.orElse(Collections.emptyMap());
}
The question is: how to inject/add oauth2 providers/configurations dynamically ?

Spring Boot OAuth2RestTemplate and HTTP Client Metrics

Actuator manages the instrumentation of RestTemplate, we only have to inject RestTemplateBuilder to create RestTemplate bean:
#Configuration
public class HttpClientConfiguration {
private final RestTemplateBuilder restTemplateBuilder;
// let Actuator manages the instrumentation
public HttpClientConfiguration(RestTemplateBuilder restTemplateBuilder) {
this.restTemplateBuilder = restTemplateBuilder;
}
#Bean // let Sleuth intercept requests
public RestTemplate createRestTemplate() {
return restTemplateBuilder.build();
}
}
How to create an OAuth2RestTemplate bean (built-in OAuth2) with the HTTP Client Mertics support?
I just found a solution:
#Configuration
#EnableOAuth2Client
public class OAuthClientConfig {
private final MetricsRestTemplateCustomizer metricsRestTemplateCustomizer;
public OAuthConfig(MetricsRestTemplateCustomizer metricsRestTemplateCustomizer) {
this.metricsRestTemplateCustomizer=metricsRestTemplateCustomizer;
}
#Bean
public OAuth2RestTemplate createOAuth2RestTemplate() {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(
getClientCredentialsResourceDetails(),
new DefaultOAuth2ClientContext());
metricsRestTemplateCustomizer.customize(restTemplate);
return restTemplate;
}
private ClientCredentialsResourceDetails getClientCredentialsResourceDetails() {
ClientCredentialsResourceDetails rd = new ClientCredentialsResourceDetails();
rd.setClientId("my-client-id");
rd.setClientSecret("my-client-secret");
rd.setAccessTokenUri("https://my-idp.server/oauth2/token");
return rd;
}
}
This is a late answer, but I was looking for something similar and found an alertnaive way.
The Spring Boot configured RestTemplateBuilder adds more than just the HTTP Client Mertics (see RestTemplateAutoConfiguration). If you don't want to lose those, you can still use the auto-configured RestTemplateBuilder to configure your OAuth2RestTemplate as follows:
#Configuration
public class OAuthClientConfig {
#Bean
public OAuth2RestTemplate createOAuth2RestTemplate(RestTemplateBuilder builder) {
// Create and setup your OAuth2RestTemplate:
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(....);
// let the auto-configure builder configure your template:
return builder.configure(restTemplate);
}
}

Spring boot Oauth2 : Token relay from a client using Feign, Ribbon, Zull and Eureka to a ressource

I have an oauth2 client that get a token from an authorization server successfully. (not always has been the case but now it is... :))
The client, the zuul gateway and the resource server are all registered in Eureka.
My client use a Proxy to access to a remote ressource service named microservice-files.
#RestController
#FeignClient(name = "zuul-server")
#RibbonClient(name = "microservice-files")
public interface ProxyMicroserviceFiles {
#GetMapping(value = "microservice-files/root")
FileBean getUserRoot();
}
So I'd like to relay the token to Zull and then to the resource server.
I can relay the token this way to contact Zuul and apparently the load balancing is managed too (I've just test I didn't know and it's great) also zuul can relay the token, but it's not very convenient I'd prefer the previous approach.
#EnableConfigurationProperties
#SpringBootApplication
#EnableFeignClients("com.clientui")
public class ClientUiApplication {
#Bean
public OAuth2RestOperations restOperations(
OAuth2ProtectedResourceDetails resource,
OAuth2ClientContext context) {
return new OAuth2RestTemplate(resource, context);
}
public static void main(String[] args) {
SpringApplication.run(ClientUiApplication.class, args);
}
}
here is the test controler
#Controller
public class ClientController {
#Autowired
private RestOperations restOperations;
#RequestMapping("/root")
public ResponseEntity userRootTest() {
String rootUrl = "http://localhost:9004/microservice-files/root";
return restOperations.getForEntity(rootUrl,FileBean.class);
}
}
If I correctly understand your problem then you can use a RequestInterceptor to add a token in each request by the feign. In order to do it you can use the next configuration:
#Bean
public RequestInterceptor oauth2FeignRequestInterceptor(OAuth2ClientContext oauth2ClientContext,
OAuth2ProtectedResourceDetails resource) {
return new OAuth2FeignRequestInterceptor(oauth2ClientContext, resource);
}
#Bean
protected OAuth2ProtectedResourceDetails resource() {
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
resource.setAccessTokenUri("http://127.0.0.1:9000/auth/login");
resource.setUserAuthorizationUri("http://127.0.0.1:9000/auth/authorize");
resource.setClientId("my-client");
resource.setClientSecret("my-secret");
return resource;
}
This is what I did to make it work.
#Bean(name = "oauth2RestTemplate")
#LoadBalanced
public OAuth2RestTemplate restTemplate(SpringClientFactory clientFactory) {
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(resourceDetails());
RibbonLoadBalancerClient ribbonLoadBalancerClient = new RibbonLoadBalancerClient(clientFactory);
LoadBalancerInterceptor loadBalancerInterceptor = new LoadBalancerInterceptor(ribbonLoadBalancerClient);
ClientCredentialsAccessTokenProvider accessTokenProvider = new ClientCredentialsAccessTokenProvider();
accessTokenProvider.setInterceptors(Arrays.asList(loadBalancerInterceptor));
restTemplate.setAccessTokenProvider(accessTokenProvider);
return restTemplate;
}
public ClientCredentialsResourceDetails resourceDetails() {
ClientCredentialsResourceDetails clientCredentialsResourceDetails = new ClientCredentialsResourceDetails();
clientCredentialsResourceDetails.setId("1");
clientCredentialsResourceDetails.setClientId("my-ms");
clientCredentialsResourceDetails.setClientSecret("123");
clientCredentialsResourceDetails.setAccessTokenUri("http://oauth-server/oauth/token");
clientCredentialsResourceDetails.setScope(Arrays.asList("read"));
clientCredentialsResourceDetails.setGrantType("client_credentials");
return clientCredentialsResourceDetails;
}

Spring Webflux OAuth 2 resource server

I have a Spring OAuth 2 server based on Spring Boot 1.5 (Spring Security v4) which generates customized tokens and a few resource servers who communicate with this authorization server, making use of /oauth/check_token endpoint by configuration of RemoteTokenServices.
All the logic related to storing/retrieving tokens on Authorization server side is done with JdbcTokenStore.
I am building a new Spring Boot 2 application which is build with Spring webflux module and trying to implement client_credentials flow with existing Authorization Server using Spring Security 5.1.1.
I found that support for resource servers was added in 5.1.0.RC1 (https://spring.io/blog/2018/08/21/spring-security-5-1-0-rc1-released#oauth2-resource-servers) and updated in 5.1.0.RC2 (https://spring.io/blog/2018/09/10/spring-security-5-1-0-rc2-released#oauth2-resource-server) but looks like it's only possible to configure it with JWT support.
I might be messing up with concepts here but looking for more info and a way to configure all these components together.
I'm in same situation as you.I solve that problem in next way, maybe it can help you:
spring-boot-starter-parent.version: 2.1.1
spring-cloud-dependencies.version: Greenwich.R1
Security configuration:
#EnableWebFluxSecurity
public class SecurityConfig {
#Autowired
private ReactiveAuthenticationManager manager; //custom implementation
#Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange()
.pathMatchers("/role").hasRole("ADMIN")
.pathMatchers("/test").access(new HasScope("server")) //custom implementation
.anyExchange().authenticated()
.and()
.httpBasic().disable()
.oauth2ResourceServer()
.jwt()
.authenticationManager(manager)
.and().and()
.build();
}
}
ReactiveAuthorizationManager (HasScope) implementation:
Helper which allow search for scopes in authentication object
public class HasScope implements ReactiveAuthorizationManager<AuthorizationContext> {
public HasScope(String...scopes) {
this.scopes = Arrays.asList(scopes);
}
private final Collection<String> scopes;
#Override
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext object) {
return authentication
.flatMap(it -> {
OAuth2Authentication auth = (OAuth2Authentication) it;
Set<String> requestScopes = auth.getOAuth2Request().getScope();
boolean allow = requestScopes.containsAll(scopes);
return Mono.just(new AuthorizationDecision(allow));
});
}
}
ReactiveAuthenticationManager implementation:
That is the main component in configuration which create OAuth2Authentication. There is a problem with response for wrong access_token, it returns only status code without body response.
#Component
public class ReactiveAuthenticationManagerImpl implements ReactiveAuthenticationManager {
private final ResourceServerProperties sso;
private final WebClient.Builder webClient;
private final ObjectMapper objectMapper;
private AuthoritiesExtractor authoritiesExtractor = new FixedAuthoritiesExtractor();
public ReactiveAuthenticationManagerImpl(ResourceServerProperties sso,
#Qualifier("loadBalancedWebClient") WebClient.Builder webClient, ObjectMapper objectMapper) {
this.sso = sso;
this.webClient = webClient;
this.objectMapper = objectMapper;
}
#Override
public Mono<Authentication> authenticate(Authentication authentication) {
return Mono.just(authentication)
.cast(BearerTokenAuthenticationToken.class)
.flatMap(it -> getMap(it.getToken()))
.flatMap(result -> Mono.just(extractAuthentication(result)));
}
private OAuth2Authentication extractAuthentication(Map<String, Object> map) {
Object principal = getPrincipal(map);
OAuth2Request request = getRequest(map);
List<GrantedAuthority> authorities = authoritiesExtractor.extractAuthorities(map);
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, "N/A", authorities);
token.setDetails(map);
return new OAuth2Authentication(request, token);
}
private Object getPrincipal(Map<String, Object> map) {
if (map.containsKey("principal")) {
try {
//that is the case for user authentication
return objectMapper.convertValue(map.get("principal"), UserPrincipal.class);
} catch (IllegalArgumentException ex) {
//that is the case for client authentication
return objectMapper.convertValue(map.get("principal"), String.class);
}
}
return null;
}
#SuppressWarnings({"unchecked"})
private OAuth2Request getRequest(Map<String, Object> map) {
Map<String, Object> request = (Map<String, Object>) map.get("oauth2Request");
String clientId = (String) request.get("clientId");
Set<String> scope = new LinkedHashSet<>(request.containsKey("scope") ?
(Collection<String>) request.get("scope") : Collections.emptySet());
return new OAuth2Request(null, clientId, null, true, new HashSet<>(scope),
null, null, null, null);
}
private Mono<Map<String, Object>> getMap(String accessToken) {
String uri = sso.getUserInfoUri();
return webClient.build().get()
.uri(uri)
.accept(MediaType.APPLICATION_JSON)
.header("Authorization", "Bearer " + accessToken)
.exchange()
.flatMap(it -> it.bodyToMono(new ParameterizedTypeReference<Map<String, Object>>() {}))
.onErrorMap(InvalidTokenException.class, mapper -> new InvalidTokenException("Invalid token: " + accessToken));
}

Resources