-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide Servlet equivalent of UnAuthenticatedServerOAuth2AuthorizedClientRepository #6683
Comments
@DarrenForsythe thanks for the report. Have you already tried |
@jzheaux That appears only to be applicable for fully reactive stacks unless I'm mistaken. Currently Using WebClient within a Looking at that class, perhaps the ask of this issue is an implementation of that class for servlet implementing the |
Thanks, @DarrenForsythe, it's a good question. Usually, we recommend the reactive stack for non-webapps, so it's not clear to me yet whether a servlet version of that class makes sense. What can you tell me about your scenario so that I can understand it better? Are you trying to make a call from a background thread, from a CLI, or something else? |
Background thread that runs attestation processing for a pub/sub flow. Also a few API exposed within in the application for data access. I've seen quite a few uses cases, working in a large enterprise environment, like this (background threads in a servlet stack) where it simply isn't feasible to switch the apps to a reactive stack, but want to take advantage of the new features currently and coming to WebClient. |
To add, I think this is a minor blocker to more enterprise companies picking up Spring 5 easily. I've seen enough Spring Boot applications that the usage of Oauth2Resttemplate can just be used anywhere without fail, developers seem to be expecting the same experience between Servlet/Reactive. I wouldn't expect WebClient to be as easily transferable but lack of a Spring Security class to expose a no-op/anon client may lead companies to add their own (and potentially wrong) implementations. I'd be happy to provide a PR for it if the Spring Security team deem it valuable to have and by proxy maintain |
@DarrenForsythe I'm not in favour of adding a no-op You have Can you provide a complete and minimal sample that demonstrates a no-op I understand your use-case and have seen demand for this as of late. I do agree that there is a need to call oauth2 protected resources that are running outside of the context of a |
https://github.com/DarrenForsythe/spring-security-6683-issue-verification I was able to hack together what I've been seeing, based of mixing a couple of your samples to re-create a client credentials flow. Sorry its a lot messy,
If you run the application you'll see the By default it uses the If you remove the application of the filter exchange the WebClient call will 401 as expected. The only reason I tried a no-op was the |
@DarrenForsythe I put together a sample (branch Take a look at how it's configured for The README provides detailed steps to get up and running to test this out. Can you integrate this into your application and provide feedback on the experience. I'll submit a PR that includes this feature targeted for 5.2. Your initial feedback would be helpful before I prepare the PR. Thanks. |
@jgrandja Tested it this morning, looks good to me. |
@DarrenForsythe Thank you for validating. Did you notice |
Struggling to think of use cases currently for it but I do always enjoy extensibility if its easy to provide/maintain, esp as it's a final class. I was able to do another verification through another use case, MQ Message > Call back to client creds secured resource > Assertation Exception due to no servlet request. Dropped in your impl and worked. |
Thanks @DarrenForsythe. I'll get to this after I complete a couple of other pre-requisite tasks. |
No, thank you! I appreciate this being added and quick turn around. Hopefully bump into you in the elevator at S1P again this year @jgrandja 😄 |
It seems like this is not tied to a Thread local or any Servlet APIs, so it should leverage the fully reactive support. This sample is a simple CLI app and can be used as a model on how to use Spring Security OAuth in a background thread. Does this help you? |
@rwinch Please see this comment
As you can see, the requirement is to provide the ability to operate outside of a request context (e.g. background thread) in a Servlet environment. @DarrenForsythe This issue will be resolved when #7122 is merged, which builds on the recently merged #6811. |
Fixed via #7122 |
Not able to get the accesstoken with webclient, my issue is exactly similar to this, am using webclient in server and tomcat , this is not a complete reactive springboot application. i could not find UnauthenticatedPrincipalOAuth2AuthorizedClientRepository class in web package using oauth-client 5.45 and spring boot 2.4.4 version |
Thanks for reaching out, @abhishekvangumalla. Although this ticket was closed, it was closed by enhancing |
Summary
Currently when Using
ServletOAuth2AuthorizedClientExchangeFilterFunction
(this might also apply to the Server impl) this requires a OAuth2AuthorizedClientRepository`.This work fine when there is a some sort of request in progress however when calling to OAuth2 secured resources when no web request is in progress each will fail.
A user can provide their own no-op impl such as,
However this doesn't lend itself to be easily undersood why, and any use use to call OAuth2 secured resources without an HttpServlet Request/Response will need it. Across mutiple apps this can get messy.
Actual Behavior
Provide no-op implementations of the
OAuth2AuthorizedClientRepository
to allow easier discovery/documentation for use cases that exist for calling secured OAuth2 resources outside of a web request.Expected Behavior
OAuth2 Resource call does not require users to impl their own no-op impl. Spring Security provides class to allow easier documentation of use cases for no-op impls. .
Configuration
Example failure impl,
Working impl,
Version
Spring Boot 2.1.3, Spring Security 5.1.3
Sample
The text was updated successfully, but these errors were encountered: