我有一个 Oauth2 身份验证服务,必须使用代理来调用 OAuth 提供程序以在用户身份验证后获取令牌。这里使用的服务器是 netty,而由于网关原因我有一个反应式服务器。
这是我正在使用的配置:
@Configuration
public class GithubProxyConfig {
private static final Logger LOGGER = Logger.getLogger(GithubProxyConfig.class);
@Bean("githubClientRegistrationRepository")
public ReactiveClientRegistrationRepository githubClientRegistrationRepository() {
ClientRegistration registration = ClientRegistration
.withRegistrationId("github")
.clientId("ID")
.clientSecret("SECRET")
.redirectUri("https://oauth-service/api/login/oauth2/code/github")
.authorizationUri("https://github.com/login/oauth/authorize")
.tokenUri("https://github.com/login/oauth/access_token")
.userInfoUri("https://api.github.com/user")
.userNameAttributeName("login")
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.build();
return new InMemoryReactiveClientRegistrationRepository(registration);
}
@Primary
@Bean
@DependsOn(value = {"githubClientRegistrationRepository"})
public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientServiceReactiveOAuth2AuthorizedClientManager(
@Qualifier("githubClientRegistrationRepository") ReactiveClientRegistrationRepository clientRegistrations,
WebClientBuilderFactory webClientBuilderFactory
) throws SSLException {
WebClient webClient = webClientBuilderFactory
.newBuilder(LOGGER, "Github Client")
.clientConnector(sslConnectorFrom("60.32.59.68", 8080))
.build();
InMemoryReactiveOAuth2AuthorizedClientService authorizedClientService = new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrations);
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(createAuthorizedClientProvider(webClient));
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2FilterFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
authorizedClientManager
);
oauth2FilterFunction.setDefaultClientRegistrationId("github");
return authorizedClientManager;
}
private ReactiveOAuth2AuthorizedClientProvider createAuthorizedClientProvider(WebClient webClient) {
WebClientReactiveClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient
= new WebClientReactiveClientCredentialsTokenResponseClient();
clientCredentialsTokenResponseClient.setWebClient(webClient);
return ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(builder -> builder.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
}
}
当我启动流程时,不使用代理,甚至不使用 WebClient 来获取访问令牌。我为此得到了超时异常。 Github 上讨论了同样的问题:https://github.com/spring-projects/spring-security/issues/8966
为解决此问题提供任何帮助,以为此客户端使用代理。 谢谢你
我的网关遇到了问题,反应式 oauth2 也不遵循标准 Java 代理设置,但就我而言,它是用于 JWT 解码的。在这种情况下,我最终必须使用 WebClient 构建器和具有特定代理覆盖的新客户端连接器来构建具有实例化 WebClient 的新解码器。
根据您的情况,您可能想尝试类似的方法。 同样,情况并不完全相同,但这是我在解码器示例中覆盖 WebClient 的方式。
ReactiveJwtDecoder customDecoder() {
HttpClient httpClient =
HttpClient.create()
.proxy(proxy -> proxy
.type(ProxyProvider.Proxy.HTTP)
.host(proxyHost)
.port(proxyPort));
ReactorClientHttpConnector conn = new ReactorClientHttpConnector(httpClient);
final NimbusReactiveJwtDecoder userTokenDecoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri)
.webClient(WebClient.builder().clientConnector(conn).build()).build();
...
...
...
return userTokenDecoder;
}
Spring boot OAuth2 改变了客户端注入的方式。 参见: