Provide an OAuth2 Token to a Feign Client – 向Feign客户端提供OAuth2令牌

最后修改: 2022年 2月 17日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

OpenFeign is a declarative REST client that we can use in Spring Boot applications. Let’s assume that we have a REST API secured using OAuth2, and we want to invoke it using OpenFeign. In this situation, we’ll need to provide an access token with OpenFeign.

OpenFeign是一个声明式REST客户端,我们可以在Spring Boot应用程序中使用。让我们假设我们有一个使用OAuth2安全的REST API,并且我们希望使用OpenFeign来调用它。在这种情况下,我们需要用OpenFeign提供一个访问令牌。

In this tutorial, we’ll describe how to add OAuth2 support to the OpenFeign client.

在本教程中,我们将描述如何在OpenFeign客户端添加OAuth2支持

2. Service to Service Authentication

2.服务对服务的认证

The service to service authentication is a popular topic in API security. We can use mTLS or JWT to provide an authentication mechanism for a REST API. However, the OAuth2 protocol is the defacto solution to protect the APIs. Let’s say we want to call a secure service (server role) using another service (client role). In this scenario, we use the client credential grant type. We usually use client credentials for authentication between two APIs or systems with no end-user. The below figure shows the main actors in this grant type:

服务到服务的认证是API安全中的一个热门话题。我们可以使用mTLSJWT来为REST API提供一个认证机制。然而,OAuth2协议是保护API的事实上的解决方案。假设我们想使用另一个服务(客户角色)来调用一个安全服务(服务器角色)。在这种情况下,我们使用客户凭证授予类型。我们通常使用客户端凭证来进行两个API之间的认证或没有最终用户的系统。下图显示了这种授予类型中的主要角色。

openfeign client credential1

In client credentials, the client service obtains an access token from the authorization server using the token endpoint. It then uses the access token to access resources protected by a resource server. The resource server validates the access token, and if valid, serves the request.

在客户端凭证中,客户端服务使用令牌端点从授权服务器获得访问令牌。然后,它使用访问令牌来访问受资源服务器保护的资源。资源服务器会验证访问令牌,如果有效,就为请求提供服务。

2.1. Authorization Server

2.1.授权服务器

Let’s set up an authorization server for issuing access tokens. To keep things simple for now, we’ll be using Keycloak embedded in a Spring Boot application. Let’s assume that we use the authorization server project available on GitHub. First, we define the payment-app client in realm master in our embedded Keycloak server:

让我们来设置一个授权服务器来发行访问令牌。为了保持简单,我们将使用嵌入Spring Boot应用程序中的Keycloak。让我们假设我们使用授权服务器项目可在GitHub上获得。首先,我们在嵌入式Keycloak服务器的境界master中定义payment-app客户端。

openfeign payment client1

We set the Access Type to credential and enable the Service Accounts Enabled option. Then, we export the realm details as feign-realm.json and set the realm file in our application-feign.yml:

我们将Access Type设置为credential,并启用Service Accounts Enabled选项。然后,我们将境界细节导出为feign-realm.json,并在application-feign.yml中设置境界文件。

keycloak:
  server:
    contextPath: /auth
    adminUser:
      username: bael-admin
      password: pass
    realmImportFile: feign-realm.json

Now, the authorization server is ready. Finally, we can run the application using the –spring.profiles.active=feign option. Since we’re focusing on the OpenFeign OAuth2 support in this tutorial, we don’t need to dive any deeper into it.

现在,授权服务器已经准备好了。最后,我们可以使用-spring.profiles.active=feign选项来运行该应用程序。由于我们在本教程中专注于OpenFeign OAuth2的支持,我们不需要再深入研究。

2.2. Resource Server

2.2.资源服务器

Now that we’ve configured the authorization server, let’s set up the resource server. For that, we’ll use the resource server project available on GitHub. First, we add the Payment class as a resource:

现在我们已经配置了授权服务器,让我们来设置资源服务器为此,我们将使用资源服务器项目在 GitHub上提供。首先,我们添加Payment类作为资源。

public class Payment {

    private String id;
    private double amount;

   // standard getters and setters
}

Then, we declare an API in PaymentController class:

然后,我们在PaymentController类中声明一个API。

@RestController
public class PaymentController {

    @GetMapping("/payments")
    public List<Payment> getPayments() {
        List<Payment> payments = new ArrayList<>();
        for(int i = 1; i < 6; i++){
            Payment payment = new Payment();
            payment.setId(String.valueOf(i));
            payment.setAmount(2);
            payments.add(payment);
        }
        return payments;
    }

}

The getPayments() API returns a list of payments. Also, we configure the resource server in our application-feign.yml file:

getPayments() API返回一个付款列表。另外,我们在application-feign.yml文件中配置了资源服务器。

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: http://localhost:8083/auth/realms/master

Now, the getPayments() API is secure using the OAuth2 authorization server, and we must provide a valid access token for invoking this API:

现在,getPayments() API使用OAuth2授权服务器是安全的,我们必须提供一个有效的访问令牌来调用这个API。

curl --location --request POST 'http://localhost:8083/auth/realms/master/protocol/openid-connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=payment-app' \
  --data-urlencode 'client_secret=863e9de4-33d4-4471-b35e-f8d2434385bb' \
  --data-urlencode 'grant_type=client_credentials'

After getting the access token, we set it in the Authorization header of the request:

获得访问令牌后,我们在请求的Authorization头中设置它。

curl --location --request GET 'http://localhost:8081/resource-server-jwt/payments' \
  --header 'Authorization: Bearer Access_Token'

Now, we want to call the secure API using OpenFeign instead of cURL or Postman.

现在,我们要使用OpenFeign而不是cURLPostman调用安全API。

3. OpenFeign Client

3.OpenFeign客户端

3.1. Dependencies

3.1. 依赖性

To use the Spring Cloud OpenFeign for invoking the secure API, we’ll need to add the spring-cloud-starter-openfeign to our pom.xml file:

为了使用Spring Cloud OpenFeign来调用安全API,我们需要将spring-cloud-starter-openfeign加入我们的pom.xml文件。

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-openfeign</artifactId>
    <version>3.1.0</version>
</dependency>

Additionally, we need to add the spring-cloud-dependencies to the pom.xml:

此外,我们需要将spring-cloud-dependencies添加到pom.xml

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-dependencies</artifactId>
    <version>2021.0.0</version>
    <type>pom</type>
</dependency>

3.2. Configuration

3.2.配置

First, we need to add @EnableFeignClients to our main class:

首先,我们需要将@EnableFeignClients加入我们的主类。

@SpringBootApplication
@EnableFeignClients
public class ExampleApplication {
    public static void main(String[] args) {
        SpringApplication.run(ExampleApplication.class, args);
    }
}

Then, we define the PaymentClient interface for invoking the getPayments() API. Also, we need to add @FeignClient to our PaymentClient interface:

然后,我们定义PaymentClient接口,用于调用getPayments() API。此外,我们需要将@FeignClient添加到我们的PaymentClient接口。

@FeignClient(
  name = "payment-client", 
  url = "http://localhost:8081/resource-server-jwt", 
  configuration = OAuthFeignConfig.class)
public interface PaymentClient {

    @RequestMapping(value = "/payments", method = RequestMethod.GET)
    List<Payment> getPayments();
}

We set the url according to the address of the resource server. In this case, the main parameter of the @FeignClient is the configuration attribute that supports OAuth2 for OpenFeign. After that, we define a PaymentController class and inject PaymentClient into it:

我们根据资源服务器的地址来设置url。在这种情况下,@FeignClient的主要参数是configuration属性,支持OpenFeign的OAuth2。之后,我们定义一个PaymentController类并将PaymentClient注入其中。

@RestController
public class PaymentController {

    private final PaymentClient paymentClient;

    public PaymentController(PaymentClient paymentClient) {
        this.paymentClient = paymentClient;
    }

    @GetMapping("/payments")
    public List<Payment> getPayments() {
        List<Payment> payments = paymentClient.getPayments();
        return payments;
    }
}

4. OAuth2 Support

4.支持OAuth2

4.1. Dependencies

4.1. 依赖性

To add the OAuth2 support to Spring Cloud OpenFeign, we’ll need to add the spring-security-oauth2-client and spring-boot-starter-security to our pom.xml file:

为了向Spring Cloud OpenFeign添加OAuth2支持,我们需要将spring-security-oauth2-clientspring-boot-start-security添加到我们的pom.xml文件。

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
    <version>2.6.1</version>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
    <version>5.6.0</version>
</dependency>

4.2. Configuration

4.2.配置

Now, we want to create a configuration. The idea is to get and add an access token to the OpenFeign request. The interceptors can perform this task for every HTTP request/response. Adding interceptors is a useful feature provided by Feign. We’ll use a RequestInterceptor, which injects the OAuth2 access token into the request of the OpenFeign client by adding an Authorization Bearer header. Let’s define the OAuthFeignConfig configuration class and define the requestInterceptor() bean:

现在,我们要创建一个配置。这个想法是为了获取并向OpenFeign请求添加访问令牌。 拦截器可以对每个HTTP请求/响应执行这个任务。添加拦截器是Feign提供的一个有用的功能。我们将使用一个RequestInterceptor,它通过添加授权承载头将OAuth2访问令牌注入OpenFeign客户端的请求中。让我们定义OAuthFeignConfig配置类并定义requestInterceptor()bean。

@Configuration
public class OAuthFeignConfig {

    public static final String CLIENT_REGISTRATION_ID = "keycloak";

    private final OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
    private final ClientRegistrationRepository clientRegistrationRepository;

    public OAuthFeignConfig(OAuth2AuthorizedClientService oAuth2AuthorizedClientService,
      ClientRegistrationRepository clientRegistrationRepository) {
        this.oAuth2AuthorizedClientService = oAuth2AuthorizedClientService;
        this.clientRegistrationRepository = clientRegistrationRepository;
    }

    @Bean
    public RequestInterceptor requestInterceptor() {
        ClientRegistration clientRegistration = clientRegistrationRepository.findByRegistrationId(CLIENT_REGISTRATION_ID);
        OAuthClientCredentialsFeignManager clientCredentialsFeignManager =
          new OAuthClientCredentialsFeignManager(authorizedClientManager(), clientRegistration);
        return requestTemplate -> {
            requestTemplate.header("Authorization", "Bearer " + clientCredentialsFeignManager.getAccessToken());
        };
    }
}

In the requestInterceptor() bean, we use the ClientRegistration and OAuthClientCredentialsFeignManager classes to register the oauth2 client and get an access token from the authorization server. To do this, we need to define the oauth2 client properties in our application.properties file:

requestInterceptor() Bean中,我们使用ClientRegistrationOAuthClientCredentialsFeignManager类来注册oauth2客户端并从授权服务器获得访问令牌。要做到这一点,我们需要在application.properties文件中定义oauth2客户端属性。

spring.security.oauth2.client.registration.keycloak.authorization-grant-type=client_credentials
spring.security.oauth2.client.registration.keycloak.client-id=payment-app
spring.security.oauth2.client.registration.keycloak.client-secret=863e9de4-33d4-4471-b35e-f8d2434385bb
spring.security.oauth2.client.provider.keycloak.token-uri=http://localhost:8083/auth/realms/master/protocol/openid-connect/token

Let’s create the OAuthClientCredentialsFeignManager class and define the getAccessToken() method:

让我们创建OAuthClientCredentialsFeignManager类并定义getAccessToken()方法。

public String getAccessToken() {
    try {
        OAuth2AuthorizeRequest oAuth2AuthorizeRequest = OAuth2AuthorizeRequest
          .withClientRegistrationId(clientRegistration.getRegistrationId())
          .principal(principal)
          .build();
        OAuth2AuthorizedClient client = manager.authorize(oAuth2AuthorizeRequest);
        if (isNull(client)) {
            throw new IllegalStateException("client credentials flow on " + clientRegistration.getRegistrationId() + " failed, client is null");
        }
        return client.getAccessToken().getTokenValue();
    } catch (Exception exp) {
        logger.error("client credentials error " + exp.getMessage());
    }
    return null;
}

We use OAuth2AuthorizeRequest and OAuth2AuthorizedClient classes for getting the access token from the authorization server. Now for every request, the OpenFeign interceptor manages the oauth2 client and adds the access token to the request.

我们使用OAuth2AuthorizeRequestOAuth2AuthorizedClient类来从授权服务器获取访问令牌。现在对于每个请求,OpenFeign拦截器都会管理oauth2客户端,并将访问令牌添加到请求中。

5. Test

测试5

To test the OpenFeign client, let’s create the PaymentClientUnitTest class:

为了测试OpenFeign客户端,让我们创建PaymentClientUnitTest类。

@RunWith(SpringRunner.class)
@SpringBootTest
public class PaymentClientUnitTest {

    @Autowired
    private PaymentClient paymentClient;

    @Test
    public void whenGetPayment_thenListPayments() {
        List<Payment> payments = paymentClient.getPayments();
        assertFalse(payments.isEmpty());
    }
}

In this test, we call the getPayments() API. The PaymentClient under the hood connects to the OAuth2 client and gets an access token using the interceptor.

在这个测试中,我们调用getPayments() API。引擎盖下的PaymentClient连接到OAuth2客户端,并使用拦截器获得一个访问令牌。

6. Conclusion

6.结语

In this article, we set up the required environment for invoking a secure API. Then, we configure the OpenFeign to call the secure API through a practical example. For this, we add and configure the interceptor to OpenFeign. The interceptor manages the OAuth2 client and adds the access token to the request.

在这篇文章中,我们设置了调用安全API所需的环境。然后,我们通过一个实际的例子来配置OpenFeign来调用安全API。为此,我们在OpenFeign中添加并配置了拦截器。拦截器负责管理OAuth2客户端,并在请求中添加访问令牌。

As always, the full source code of this tutorial is available over on GitHub. Additionally, the resource and authorization server source code is available over on GitHub.

一如既往,本教程的完整源代码可在GitHub上获取。此外,资源和授权服务器的源代码也可以在GitHub上找到