Spring Security OAuth Login with WebFlux

1. Overview

Spring Security added OAuth support for WebFlux starting with the 5.1.x GA.

We’ll discuss how to configure our WebFlux application to use OAuth2 Login support. We’ll also discuss how to use WebClient to access OAuth2 secured resources.

The OAuth Login configuration for Webflux is similar to the one for a standard Web MVC application. For more detail on this, also have a look at our article on Spring OAuth2Login element.

2. Maven Configuration

To begin with, we’ll create a simple Spring Boot application and add these dependencies to our pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
</dependency>

The spring-boot-starter-securityspring-boot-starter-webflux and spring-security-oauth2-client dependencies are available on Maven Central.

3. Main Controller

Next, we’ll add a simple controller to display the username on the home page:

@RestController
public class MainController {
    
    @GetMapping("/")
    public Mono<String> index(@AuthenticationPrincipal Mono<OAuth2User> oauth2User) {
       return oauth2User
        .map(OAuth2User::getName)
        .map(name -> String.format("Hi, %s", name));
    }
}

Note that we’ll display the username obtained from OAuth2 client UserInfo endpoint.

4. Login Using Google

Now, we’ll configure our application to support login using Google.

First, we need to create a new project at Google Developer Console

Now, we need to add OAuth2 credentials (Create Credentials > OAuth Client ID).

Next, we’ll add this to “Authorized Redirect URIs”:

http://localhost:8080/login/oauth2/code/google

Then, we need to configure our application.yml to use the Client ID and Secret:

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: YOUR_APP_CLIENT_ID
            client-secret: YOUR_APP_CLIENT_SECRET

As we have spring-security-oauth2-client in our path, our application will be secured.

Users will be redirected to log in using Google before they can access our home page.

5. Login Using Auth Provider

We can also configure our application to log in from a custom authorization server.

In the following example, we’ll use our authorization server from a previous article.

This time, we need to configure more properties, not just the ClientID and Client Secret:

spring:
  security:
    oauth2:
      client:
        registration:
          custom:
            client-id: fooClientIdPassword
            client-secret: secret
            scopes: read,foo
            authorization-grant-type: authorization_code
            redirect-uri-template: http://localhost:8080/login/oauth2/code/custom
        provider:
          custom:
            authorization-uri: http://localhost:8081/spring-security-oauth-server/oauth/authorize
            token-uri: http://localhost:8081/spring-security-oauth-server/oauth/token
            user-info-uri: http://localhost:8088/spring-security-oauth-resource/users/extra
            user-name-attribute: user_name

In this case, we also need to specify the scope, grant type and redirect URI for the OAuth2 client. We’ll also provide the authorization and token URI of the Authorization Server.

Finally, we need to configure the UserInfo endpoint as well to be able to get the user authentication details.

6. Security Configuration

By default, Spring Security secures all paths. Therefore, if we have only one OAuth client, we’ll be redirected to authorize this client and log in.

If multiple OAuth clients are registered, then a login page will be automatically created to choose the login method.

We can change that if we like and provide a detailed security configuration:

@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
        return http.authorizeExchange()
          .pathMatchers("/about").permitAll()
          .anyExchange().authenticated()
          .and().oauth2Login()
          .and().build();
    }
}

In this example, we’ve secured all paths except for “/about”.

7. WebClient

We can also do more than just authenticate users using OAuth2. We can use WebClient to access OAuth2 secured resources using OAuth2AuthorizedClient.

Now, let’s configure our WebClient:

@Bean
public WebClient webClient(ReactiveClientRegistrationRepository clientRegistrationRepo, 
  ServerOAuth2AuthorizedClientRepository authorizedClientRepo) {
    ServerOAuth2AuthorizedClientExchangeFilterFunction filter = 
      new ServerOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrationRepo, authorizedClientRepo);
    
    return WebClient.builder().filter(filter).build();
}

Then, we can retrieve an OAuth2 secured resource:

@Autowired
private WebClient webClient;

@GetMapping("/foos/{id}")
public Mono<Foo> getFooResource(@RegisteredOAuth2AuthorizedClient("custom") 
  OAuth2AuthorizedClient client, @PathVariable final long id){
    return webClient
      .get()
      .uri("http://localhost:8088/spring-security-oauth-resource/foos/{id}", id)
      .attributes(oauth2AuthorizedClient(client))
      .retrieve()
      .bodyToMono(Foo.class); 
}

Note that we retrieved the remote resource Foo using AccessToken from OAuth2AuthorizedClient.

8. Conclusion

In this quick article, we learned how to configure our WebFlux application to use OAuth2 Login support and how to use WebClient to access OAuth2 secured resources.

As always, the full source code is available over on GitHub.

Related posts:

How to Iterate Over a Stream With Indices
Database Migrations with Flyway
Rest Web service: Filter và Interceptor với Jersey 2.x (P2)
Overview of the java.util.concurrent
Creating a Generic Array in Java
Creating Docker Images with Spring Boot
The SpringJUnitConfig and SpringJUnitWebConfig Annotations in Spring 5
Convert Hex to ASCII in Java
Java Program to Compute the Area of a Triangle Using Determinants
Quick Guide to Spring Bean Scopes
Spring Boot - Interceptor
Introduction to Thread Pools in Java
wait() and notify() Methods in Java
Inheritance and Composition (Is-a vs Has-a relationship) in Java
Hamcrest Collections Cookbook
Java Program to Solve Knapsack Problem Using Dynamic Programming
Configure a Spring Boot Web Application
Java Program to Check whether Undirected Graph is Connected using BFS
Java Program to Implement Levenshtein Distance Computing Algorithm
Removing all Nulls from a List in Java
Flattening Nested Collections in Java
Java Program to Implement Ternary Search Algorithm
Java Program to Implement the Hungarian Algorithm for Bipartite Matching
Giới thiệu Google Guice – Dependency injection (DI) framework
Java Program to Implement Suffix Array
Lập trình đa luồng với CompletableFuture trong Java 8
Injecting Prototype Beans into a Singleton Instance in Spring
Java Program to Implement Maximum Length Chain of Pairs
Immutable Map Implementations in Java
Java Program to Find the Number of Ways to Write a Number as the Sum of Numbers Smaller than Itself
Java Program to implement Priority Queue
Collection trong java