Skip to content

add documentation BearerTokenResolver with snippets #7250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

add documentation BearerTokenResolver with snippets #7250

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/access-token.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,46 @@ SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
----

You can now leverage Spring Security's <<webclient>> or <<webflux-roac,@RegisteredOAuth2AuthorizedClient>> support to obtain and use the access token.

== BearerTokenResolver

With interface BearerTokenResolver you can provide a strategy to resolve a bearer token.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When referring to class names, and other inlined code, please use backticks, e.g. BearerTokenResolver


The interface provides the next method:
Copy link
Contributor

@jzheaux jzheaux Aug 15, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of showing the interface, could you show example usage? Specifically, I'm thinking it would be nice for the documentation to show how to do 1. form-based bearer tokens and 2. a custom header name.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jzheaux , 1) Can you explain more about it? is It like Loosely Coupling? When we take parameters and generate a token? 2) We can provide a link to code with HeaderBearerTokenResolver.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good questions.

For the first, there is a setting, DefaultBearerTokenResolver#setAllowFormEncodedBodyParameter. The spec allows for passing the bearer token via a form parameter instead of a header.

For the second (and in general), I recommend that the code be inlined, so the reader can see example usage in the context of your explanation. For example, you can imagine documentation written like this:

Or, we may need to use a custom header name, like when using Google Cloud's IAP Proxy authentication:

   http
       .oauth2ResourceServer()
            .bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"))


[source,java]
----
/**
* Resolve any <a href="https://tools.ietf.org/html/rfc6750#section-1.2" target="_blank">Bearer Token</a>
* value from the request.
*
* @param request the request
* @return the Bearer Token value or {@code null} if none found
* @throws OAuth2AuthenticationException if the found token is invalid
*/
String resolve(HttpServletRequest request);
----

In code base, you can find two implementation of this interface:
HeaderBearerTokenResolver and DefaultBearerTokenResolver (based on RFC 6750).

Below you can see HeaderBearerTokenResolver, it takes a bearer token from request by header
which was passed in constructor

[source,java]
----
public class HeaderBearerTokenResolver implements BearerTokenResolver {

private String header;

public HeaderBearerTokenResolver(String header) {
Assert.hasText(header, "header cannot be empty");
this.header = header;
}

@Override
public String resolve(HttpServletRequest request) {
return request.getHeader(this.header);
}
}
----