How to Retrieve OAuth2AuthorizedClient in a request when using WebFlux

Question

I have a back-end(Springboot) application that is connected to Azure AD and a front-end application that accesses it. In the front-end, I am requiring the user to authenticate using MSAL and passing this authentication to the BE using the On-Behalf-Of flow.

In the front-end, when I am trying to specify the registered client I simple use:

@RegisteredOAuth2AuthorizedClient("back-end") OAuth2AuthorizedClient authorizedClient

I'm trying to create another back-end application that my existing back-end will call and pass the authentication using OBO flow. To check the difference between the initial token from the user and the token the BE will provide to the new BE application, I created a log that fetch the token from these client like authorizedClient.getAccessToken().getTokenValue().

Now that I don't want the explicit approach and want only to add directly in the webclient request the .attributes(clientRegistrationId("new-back-end")), is there any way to check the token? Or at least get the OAuth2AuthorizedClient from the request?

Sample code:

 webClient.get()
          .uri(new URI(resourceBaseUri + resourceEndpoint))
          .attributes(clientRegistrationId("new-be-app"))
          .retrieve()
          .bodyToMono(String.class)
          .block();

Answer 1

• You can do the same as desired by you by using the ‘ServerOAuth2AuthorizedClientExchangeFilterFunction’ to determine the client to use by resolving the ‘OAuth2AuthorizedClient’ from the ‘ClientRequest.attributes()’. The following code shows how to set an ‘OAuth2AuthorizedClient’ as a request attribute: -

@GetMapping("/")
 public Mono<String> index(@RegisteredOAuth2AuthorizedClient("okta") 
 OAuth2AuthorizedClient authorizedClient) {
  String resourceUri = ...

   return webClient
        .get()
        .uri(resourceUri)
        .attributes(oauth2AuthorizedClient(authorizedClient))
        .retrieve()
        .bodyToMono(String.class)
        ...
        .thenReturn("index");
   }

Note: - ‘oauth2AuthorizedClient()’ is a static method in ‘ServerOAuth2AuthorizedClientExchangeFilterFunction’.

Also, please note that the following code shows how to set the ‘ClientRegistration.getRegistrationId()’ as a request attribute: -

@GetMapping("/")
 public Mono<String> index() {
 String resourceUri = ...

  return webClient
        .get()
        .uri(resourceUri)
        .attributes(clientRegistrationId("okta"))
        .retrieve()
        .bodyToMono(String.class)
        ...
        .thenReturn("index");
      }

You can use the code below also for your purpose: -

   @Component
   @RequiredArgsConstructor
public class OAuth2Utils {

private final ServerOAuth2AuthorizedClientRepository authorizedClientRepository;

public Mono<OAuth2AuthorizedClient> extractOAuth2AuthorizedClient(ServerRequest request) {
    return request.principal()
            .filter(principal -> principal instanceof OAuth2AuthenticationToken)
            .cast(OAuth2AuthenticationToken.class)
            .flatMap(auth -> authorizedClientRepository.loadAuthorizedClient(auth.getAuthorizedClientRegistrationId(), auth, request.exchange()));
}
}

Please find the links below for more information: -

How to access OAuth2AuthorizedClient in Webflux Functional Endpoints?

https://docs.spring.io/spring-security/reference/reactive/oauth2/client/authorized-clients.html#_providing_the_authorized_client