1. Overview
Spring Security added OAuth support for WebFlux starting with the 5.1.x GA.
We’ll discuss how to configure our WebFlux application to use OAuth2 Login support. We’ll also discuss how to use WebClient to access OAuth2 secured resources.
The OAuth Login configuration for Webflux is similar to the one for a standard Web MVC application. For more detail on this, also have a look at our article on Spring OAuth2Login element.
2. Maven Configuration
To begin with, we’ll create a simple Spring Boot application and add these dependencies to our pom.xml:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
The spring-boot-starter-security, spring-boot-starter-webflux and spring-security-oauth2-client dependencies are available on Maven Central.
3. Main Controller
Next, we’ll add a simple controller to display the username on the home page:
@RestController
public class MainController {
@GetMapping("/")
public Mono<String> index(@AuthenticationPrincipal Mono<OAuth2User> oauth2User) {
return oauth2User
.map(OAuth2User::getName)
.map(name -> String.format("Hi, %s", name));
}
}
Note that we’ll display the username obtained from OAuth2 client UserInfo endpoint.
4. Login Using Google
Now, we’ll configure our application to support login using Google.
First, we need to create a new project at Google Developer Console
Now, we need to add OAuth2 credentials (Create Credentials > OAuth Client ID).
Next, we’ll add this to “Authorized Redirect URIs”:
http://localhost:8080/login/oauth2/code/google
Then, we need to configure our application.yml to use the Client ID and Secret:
spring:
security:
oauth2:
client:
registration:
google:
client-id: YOUR_APP_CLIENT_ID
client-secret: YOUR_APP_CLIENT_SECRET
As we have spring-security-oauth2-client in our path, our application will be secured.
Users will be redirected to log in using Google before they can access our home page.
5. Login Using Auth Provider
We can also configure our application to log in from a custom authorization server.
In the following example, we’ll use our authorization server from a previous article.
This time, we need to configure more properties, not just the ClientID and Client Secret:
spring:
security:
oauth2:
client:
registration:
custom:
client-id: fooClientIdPassword
client-secret: secret
scopes: read,foo
authorization-grant-type: authorization_code
redirect-uri-template: http://localhost:8080/login/oauth2/code/custom
provider:
custom:
authorization-uri: http://localhost:8081/spring-security-oauth-server/oauth/authorize
token-uri: http://localhost:8081/spring-security-oauth-server/oauth/token
user-info-uri: http://localhost:8088/spring-security-oauth-resource/users/extra
user-name-attribute: user_name
In this case, we also need to specify the scope, grant type and redirect URI for the OAuth2 client. We’ll also provide the authorization and token URI of the Authorization Server.
Finally, we need to configure the UserInfo endpoint as well to be able to get the user authentication details.
6. Security Configuration
By default, Spring Security secures all paths. Therefore, if we have only one OAuth client, we’ll be redirected to authorize this client and log in.
If multiple OAuth clients are registered, then a login page will be automatically created to choose the login method.
We can change that if we like and provide a detailed security configuration:
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
return http.authorizeExchange(auth -> auth
.pathMatchers("/about").permitAll()
.anyExchange().authenticated())
.oauth2Login(Customizer.withDefaults())
.build();
}
}
In this example, we’ve secured all paths except for “/about”.
7. WebClient
We can also do more than just authenticate users using OAuth2. We can use WebClient to access OAuth2 secured resources using OAuth2AuthorizedClient.
Now, let’s configure our WebClient:
@Bean
public WebClient webClient(ReactiveClientRegistrationRepository clientRegistrationRepo,
ServerOAuth2AuthorizedClientRepository authorizedClientRepo) {
ServerOAuth2AuthorizedClientExchangeFilterFunction filter =
new ServerOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrationRepo, authorizedClientRepo);
return WebClient.builder().filter(filter).build();
}
Then, we can retrieve an OAuth2 secured resource:
@Autowired
private WebClient webClient;
@GetMapping("/foos/{id}")
public Mono<Foo> getFooResource(@RegisteredOAuth2AuthorizedClient("custom")
OAuth2AuthorizedClient client, @PathVariable final long id){
return webClient
.get()
.uri("http://localhost:8088/spring-security-oauth-resource/foos/{id}", id)
.attributes(oauth2AuthorizedClient(client))
.retrieve()
.bodyToMono(Foo.class);
}
Note that we retrieved the remote resource Foo using AccessToken from OAuth2AuthorizedClient.
8. Conclusion
In this quick article, we learned how to configure our WebFlux application to use OAuth2 Login support and how to use WebClient to access OAuth2 secured resources.
As always, the full source code is available over on GitHub.