带有自定义身份验证服务器客户端凭据的 Spring Cloud Gateway 与 WebClient 流

编程问答 2022-04-29

问题描述

我关注了这个博客 How can I use client_credentials to access another oauth2 resource from a resource server? 来创建一个 WebClient,它将请求令牌并将其向下转发到另一个资源服务器。这似乎工作正常,因为代码显示它正在使用 WebClient。

现在,我有一个 Spring Cloud Gateway,它想这样做并请求令牌并将其向下游转发到资源服务器。

我有以下配置。

@EnableWebFluxSecurity
public class WebClientConfig {

  @Bean
  public ReactiveOAuth2AuthorizedClientManager authorizedClientManager(
      ReactiveClientRegistrationRepository clientRegistrationRepository,ReactiveOAuth2AuthorizedClientService authorizedClientService) {

    ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider =
        ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
            .clientCredentials()
            .build();

    AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
        new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository,authorizedClientService);

    authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);

    return authorizedClientManager;
  }

  @Bean
  public WebClient webClient(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
    String registrationId = "custom";

    ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
        authorizedClientManager);

    oauth.setDefaultClientRegistrationId(registrationId);
    return WebClient.builder()
        .baseUrl("http://localhost:8888")
        .filter(oauth).build();
  }

  @Bean
  public SecurityWebFilterChain configure(ServerHttpSecurity http) {
    return http
        .oauth2client()
        .and()
        .build();
  }
}

我的 application.yml 在下面

server:
  port: 8081
spring:
  security:
    oauth2:
      client:
        provider:
          custom:
            token-uri: http://localhost:8080/oauth/token
        registration:
          custom:
            client-id: campaign-station-client
            client-secret: password
            scope: "*"
            authorization-grant-type: client_credentials
  cloud:
    gateway:
      routes:
        - id: resource_server_id
          uri: http://localhost:8888/
          predicates:
            - Path=/resourceserver/**
          filters:
            - RewritePath=/resourceserver/(?<segment>.*),/$\{segment}

当我通过网关调用我的资源服务器端点时,网关不使用 WebClient 来检索访问令牌(例如 client_credentials 流)。我如何在每次调用网关时使用此 WebClient,以便将令牌下游转发到资源服务器?

解决方法

您需要编写一个自定义过滤器,您可以从那里传递令牌。查看 TokenGatewayFilter 的代码。这会给你一个更好的主意。我已经实现了相同的。

spring-cloud-gatewayspring-securityspring-security-oauth2spring-webfluxwebclientwebclientwebclient