It would be nice if Spring Boot added some autoconfiguration for applying Spring Security's OAuth2 Support for Interface HTTP Clients.
The configuration looks like this for RestClient and should be activated with the classpath has RestClient, the OAuth2 client jar, and has an OAuth2AuthorizedClientManager bean.
@Bean
OAuth2RestClientHttpServiceGroupConfigurer securityConfigurer(
OAuth2AuthorizedClientManager manager) {
return OAuth2RestClientHttpServiceGroupConfigurer.from(manager);
}
The configuration looks like this for WebClient and should be activated with the classpath has WebClient and OAuth2 client jar, and has an OAuth2AuthorizedClientManager bean.
@Bean
OAuth2RestClientHttpServiceGroupConfigurer securityConfigurer(
OAuth2AuthorizedClientManager manager) {
return OAuth2RestClientHttpServiceGroupConfigurer.from(manager);
}
cc @joshlong
Comment From: Torres-09
Hi there, I'd like to contribute to this issue.
I'll start working on adding autoconfiguration for OAuth2 support to both RestClient and WebClient in Spring Boot.
Are there any additional considerations or points I should be aware of before I get started?
Comment From: wilkinsona
Thanks for the offer, @Torres-09.
In addition to the two scenarios that @rwinch has described above. I think we should also consider the use of WebClient in a servlet application. In that case, the OAuth2WebClientHttpServiceGroupConfigurer should be created using from(OAuth2AuthorizedClientManager).
@rwinch please let us know if there's good reason not to do so.
Comment From: Torres-09
Hello, I'm following this issue with interest. There have been no updates for a few weeks, so I wanted to ask if there is any news or progress on this. Thank you!
Comment From: philwebb
Nothing as yet @Torres-09, but rest assured that we'll update this issue when progress has been made.
Comment From: builtDifferentCoder
Is this issue still open if so im currently working on OAuth2 and i believe i will be able to resolve the issue
Comment From: wilkinsona
@builtDifferentCoder we're awaiting feedback from @rwinch. Once we have that, @Torres-09 has already offered to make a contribution.
Comment From: rwinch
Thank you for the ping @wilkinsona
In addition to the two scenarios that @rwinch has described above. I think we should also consider the use of
WebClientin a servlet application. In that case, theOAuth2WebClientHttpServiceGroupConfigurershould be created usingfrom(OAuth2AuthorizedClientManager).
Yes. This is another valid use case that should be accounted for. Thank you!
Comment From: Torres-09
Hello, Would it be okay if I start working on this? Before I begin, I want to propose my implementation plan to ensure I'm on the right track.
1. Implementation Plan
My plan is to create a single auto-configuration class that handles all the discussed scenarios. I intend to use nested @Configuration classes with conditional annotations (@ConditionalOnWebApplication) to provide the correct Configurer bean for each environment:
RestClient: from(OAuth2AuthorizedClientManager)
OAuth2RestClientHttpServiceGroupConfigurer
WebClient in a servlet environment & WebClient in a non-servlet environment(reactive&none): A specific configuration that internally uses from(OAuth2AuthorizedClientManager) to correctly handle the servlet context.
OAuth2WebClientHttpServiceGroupConfigurer
Does this overall approach seem reasonable to you?
2. Package Location
For the package location, I believe the new auto-configuration class fits best in org.springframework.boot.security.oauth2.client.autoconfigure
My reasoning is that this feature is fundamentally about applying OAuth2 Client security to the HTTP clients, rather than being a core feature of RestClient or WebClient themselves.
I would appreciate your thoughts on this placement. Thank you!
cc. @rwinch , @wilkinsona