Spring WebClient OAuth2 Integration for Spring WebFlux

Last Updated:  August 27, 2021 | Published: November 11, 2019

With OAuth2 being the current de-facto authorization framework, a lot of vendors use it to secure their APIs. Furthermore, you can use OAuth2 to enable social logins (e.g. Google or Facebook) and don't need your own user management. As the WebClient from Spring WebFlux is the preferred client for Spring applications, I want to provide an example for the Spring WebClient  OAuth2 setup. As an example, I'll use GitHub for an OAuth2 login and will access an OAuth2 protected API using the WebClient.

OAuth2 Spring WebFlux project setup

The Maven project for this example contains the required Spring Boot dependencies for Thymeleaf, WebFlux, Security and the OAuth2 client:

To use GitHub for OAuth2 login and for accessing their protected APIs, we have to configure the application as an OAuth2 client. Within the application.yml file, add the client-id and client-secret that you receive while creating an OAuth2 app on GitHub (follow this tutorial).

Fortunately, Spring Security ships with information about the OAuth2 related endpoints for Google, Facebook and GitHub. Given this fact, we don't have to configure any additional URLs. The client registration key github in the application.yml file above tells Spring to use GitHub.

For those of you who are interested in which class Spring configures these endpoints, have a look at the CommonOAuth2Provider:

Securing the WebFlux application with OAuth2 login

Next, we have to secure our application. As we don't want any unauthenticated users to access the application,

Please note that this configuration is for using Spring WebFlux. If you are using the Servlet environment with Spring Web and Tomcat, the configuration is different as you have to extend the WebSecurityConfigurerAdapter class.

WebClient OAuth2 configuration

With the application security setup in place, we can continue with the configuration for the WebClient. The Spring Security OAuth2 client dependency provides a ServerOAuth2AuthorizedClientExchangeFilterFunction, which we can use to configure our WebClient instance. This filter is for working with the reactive web stack, for the Servlet stack, have a look at the ServletOAuth2AuthorizedClientExchangeFilterFunction.

Moreover, as the filter function takes a ReactiveOAuth2AuthorizedClientManager as an input argument, we have to provide this bean. To create such a bean we can inject the ReactiveClientRegistrationRepository which gets autoconfigured (as we use Spring Boot Security) based on our application.yml.

The GitHub API uses the authorization_code OAuth2 flow, so we can configure the ReactiveOAuth2AuthorizedClientProvider for only this flow. Other flows like client_credentials, refresh_token are also available.

Accessing OAuth2 protected resources on GitHub

Last but not least, we'll add a Thymeleaf page to demonstrate the OAuth2 login and the result of the API access with Spring's WebClient. The page display the GitHub name of the logged-in user and all of the user's GitHub repositories:

The backend controller takes an OAuth2AuthorizedClient as a method argument alongside the authenticated principal and the Spring MVC Model class. Once a user accesses our page, a redirect to GitHub takes place and the user has to provide his GitHub credentials:

OAuth2 Login with GitHub

After GitHub successfully verifies the credentials, the user gets redirected to our application and Spring Security will exchange the authorization code for an access token in the background.

Given this token, we can access the GitHub API with the WebClient and query for the user's repositories:

The final result looks like the following:

List of repositories on GitHub

In conclusion, with the correct setup, there is almost nothing to do for an OAuth2 integration. Spring Security in combination with Spring Boot takes care of all the configuration. Again, please note that this example is for using a reactive Web stack and not the Servlet stack. For a Spring Web setup with Tomcat, have a look at this post to configure the WebClient for OAuth2.

You can find the source code with further instructions on how to run this application on GitHub.

Have fun using the OAuth2 with the Spring WebClient for a WebFlux application,

Phil

>