This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.6!

HTTP Service Clients Integration

Spring Security’s OAuth Support can integrate with RestClient and WebClient HTTP Service Clients.

Configuration

After RestClient or WebClient specific configuration, usage of HTTP Service Clients Integration only requires adding a @ClientRegistrationId to methods that require OAuth or their declaring HTTP interface.

Since the presence of @ClientRegistrationId determines if and how the OAuth token will be resolved, it is safe to add Spring Security’s OAuth support any configuration.

RestClient Configuration

Spring Security’s OAuth Support can integrate with HTTP Service Clients backed by RestClient. The first step is to create an OAuthAuthorizedClientManager Bean.

Next you must configure HttpServiceProxyFactory and RestClient to be aware of @ClientRegistrationId To simplify this configuration, use OAuth2RestClientHttpServiceGroupConfigurer.

Java
Kotlin

@Bean
OAuth2RestClientHttpServiceGroupConfigurer securityConfigurer(
		OAuth2AuthorizedClientManager manager) {
	return OAuth2RestClientHttpServiceGroupConfigurer.from(manager);
}

@Bean
fun securityConfigurer(manager: OAuth2AuthorizedClientManager): OAuth2RestClientHttpServiceGroupConfigurer {
    return OAuth2RestClientHttpServiceGroupConfigurer.from(manager)
}

The configuration:

Adds ClientRegistrationIdProcessor to HttpServiceProxyFactory
Adds OAuth2ClientHttpRequestInterceptor to the RestClient

WebClient Configuration

Spring Security’s OAuth Support can integrate with HTTP Service Clients backed by WebClient. The first step is to create an ReactiveOAuthAuthorizedClientManager Bean.

Next you must configure HttpServiceProxyFactory and WebRestClient to be aware of @ClientRegistrationId To simplify this configuration, use OAuth2WebClientHttpServiceGroupConfigurer.

Java
Kotlin

@Bean
OAuth2WebClientHttpServiceGroupConfigurer securityConfigurer(
		ReactiveOAuth2AuthorizedClientManager manager) {
	return OAuth2WebClientHttpServiceGroupConfigurer.from(manager);
}

@Bean
fun securityConfigurer(
    manager: ReactiveOAuth2AuthorizedClientManager?
): OAuth2WebClientHttpServiceGroupConfigurer {
    return OAuth2WebClientHttpServiceGroupConfigurer.from(manager)
}

The configuration:

Adds ClientRegistrationIdProcessor to HttpServiceProxyFactory
Adds ServerOAuth2AuthorizedClientExchangeFilterFunction to the WebClient

@ClientRegistrationId

You can add the ClientRegistrationId on the HTTP Service to specify which ClientRegistration to use.

Java
Kotlin

	@GetExchange("/user")
	@ClientRegistrationId("github")
	User getAuthenticatedUser();

    @GetExchange("/user")
    @ClientRegistrationId("github")
    fun getAuthenticatedUser() : User

The @ClientRegistrationId will be processed by ClientRegistrationIdProcessor

Type Level Declarations

@ClientRegistrationId can also be added at the type level to avoid repeating the declaration on every method.

Java
Kotlin

@HttpExchange
@ClientRegistrationId("github")
public interface UserService {

	@GetExchange("/user")
	User getAuthenticatedUser();

	@GetExchange("/users/{username}/hovercard")
	Hovercard getHovercard(@PathVariable String username);

}

@HttpExchange
@ClientRegistrationId("github")
interface UserService {
    @GetExchange("/user")
    fun getAuthenticatedUser(): User

    @GetExchange("/users/{username}/hovercard")
    fun getHovercard(@PathVariable username: String): Hovercard
}

`ClientRegistrationIdProcessor`

The configured ClientRegistrationIdProcessor will:

Automatically invoke ClientAttributes.clientRegistrationId(String) for each @ClientRegistrationId.
This adds the ClientRegistration.getId() to the attributes

The id is then processed by:

OAuth2ClientHttpRequestInterceptor for RestClient Integration
ServletOAuth2AuthorizedClientExchangeFilterFunction (servlets) or ServerOAuth2AuthorizedClientExchangeFilterFunction (reactive environments) for WebClient.