I could not able to connect to OAuth2 Resource behind proxy if I use the latest spring-security-oauth2-client-5.3.4.RELEASE.
I am using the reactor netty httpclient to set the proxy as follows. HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpClient -> tcpClient.proxy( proxy -> proxy.type(ProxyProvider.Proxy.HTTP).host(proxyHost).port(Integer.valueOf(port)).build())); ClientHttpConnector connector = new ReactorClientHttpConnector(httpClient); return WebClient.builder().clientConnector(connector).filter(oauth2FilterFunction).build();
But if I use spring-security-oauth2-client-5.3.0.RELEASE, I can able to connect via Proxy but the token is not associated with each request.
Advice me if I am doing anything wrong.
Comment From: jgrandja
@kmariappan2016 Based on my understanding, you are not able to call a protected resource using spring-security-oauth2-client 5.3.4 (with proxy configuration). Correct? However, it works in 5.3.0?
If this is the case, what is the difference in your configuration between 5.3.0 and 5.3.4?
Comment From: kmariappan2016
There is no change in configuration(proxy) between 5.3.0 and 5.3.4. I am keeping the same config. Its not using the proxy config if I migrate to 5.3.4.
Let me know if any further details required.
Thanks,
Comment From: jgrandja
@kmariappan2016 Can you please provide a minimal reproducible sample via a GitHub repo and then I can help troubleshoot.
Comment From: kmariappan2016
Unfortunately I can not provide the code via GitHub as my organization policy blocks it.
I am connecting a resource behind corporate proxy and I have the proxy config as follows using Reactor HTTP Netty. HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpClient -> tcpClient.proxy( proxy -> proxy.type(ProxyProvider.Proxy.HTTP).host(proxyHost).port(Integer.valueOf(port)).build()));
ClientHttpConnector connector = new ReactorClientHttpConnector(httpClient);
return WebClient.builder().clientConnector(connector).filter(oauth2FilterFunction).build();
I thought its netty reactor issue, but if I switch to 5.3.0 of spring webclient it started working.
Comment From: jgrandja
@kmariappan2016 I'm guessing this is not an oauth2-client specific issue since it works in 5.3.0. It might be a reactor issue. However, I will need a minimal sample that reproduces the error in order to confirm. I am not asking you to share your organzation's code, but rather put together a minimal sample that replicates your existing code configuration and it should also reproduce the error. If you cannot provide this then I can't really help troubleshoot.
Comment From: kmariappan2016
Here is the oAuth2 client config.
@Bean
ReactiveClientRegistrationRepository getRegistration() {
ClientRegistration registration = ClientRegistration.withRegistrationId("sample client")
.tokenUri("token url").clientId(clientId).clientSecret(clientSecret)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope(Arrays.asList(scope.split(":"))).build();
return new InMemoryReactiveClientRegistrationRepository(registration);
}
@Bean(name = "defaultWebClient")
WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations) {
InMemoryReactiveOAuth2AuthorizedClientService authorizedClientService = new InMemoryReactiveOAuth2AuthorizedClientService(
clientRegistrations);
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2FilterFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations,
authorizedClientService));
oauth2FilterFunction.setDefaultClientRegistrationId("sample client");
HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpClient -> tcpClient.proxy(
proxy -> proxy.type(ProxyProvider.Proxy.HTTP).host("proxyhostname").port(Integer.valueOf(port number)).build()));
ClientHttpConnector connector = new ReactorClientHttpConnector(httpClient);
return WebClient.builder().clientConnector(connector).filter(oauth2FilterFunction).build();
}
If you try to invoke API endppont, I am getting the error as its not taking the proxy config.
Note. I raised with Reactor Netty Team and had a troubleshoot session.If its netty issue, it should not work with even 5.3.0 RELEASE
Comment From: jgrandja
@kmariappan2016 As mentioned in this comment, I need a minimal reproducible sample via a GitHub repo that I can clone and reproduce with minimal effort on my end.
Comment From: kmariappan2016
I will upload the details in a day with GitHub and provide you the link. The prerequisite is you should have the oauth resources behind the proxy and hope you would be knowin this too.
Thanks,
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: kmariappan2016
Hi, I have added the sample code repo to simulate the issue Please find the URL : https://github.com/kmariappan2016/spring-web-client.git
Comment From: jgrandja
@kmariappan2016 The sample you provided does not reproduce the issue and it wasn't complete. I had to add @EnableScheduling in SpringKafkaApplication and @Scheduled(fixedDelay = 1000) at ServiceHandler.getCMSurveys() in order to test this out.
The WebClient @Bean injected in ServiceHandler is the same one configured in ConfluentKafkaConfig and I verified the object references are the same for ReactorClientHttpConnector and ServerOAuth2AuthorizedClientExchangeFilterFunction. The configuration is correct.
Although I don't see any reproducible issue here, this is not related to spring-security-oauth2-client and instead is either a reactor issue or WebClient. If you are still having an issue please log it with Spring Framework issues.
Comment From: jgrandja
@kmariappan2016 I now see the issue with your configuration in ConfluentKafkaConfig.
The AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager needs to be customized before passing it to ServerOAuth2AuthorizedClientExchangeFilterFunction.
Here is the custom configuration for AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager:
WebClient webClient = ... \\ TODO: Configure the `WebClient` with the `ClientHttpConnector`
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrations, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(createAuthorizedClientProvider(webClient));
Make sure the ReactiveOAuth2AuthorizedClientProvider is using the customized WebClient:
private ReactiveOAuth2AuthorizedClientProvider createAuthorizedClientProvider(WebClient webClient) {
WebClientReactiveClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient
= new WebClientReactiveClientCredentialsTokenResponseClient();
clientCredentialsTokenResponseClient.setWebClient(webClient);
return ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
.clientCredentials(builder -> builder.accessTokenResponseClient(clientCredentialsTokenResponseClient))
.build();
}
This should solve your issue.
Comment From: kmariappan2016
Sure,I will try and update here. Thanks much
Comment From: kmariappan2016
It seems it get token behind proxy.but API endpoint is never getting called.Should I create another instance of Webclient to call the actual API endpoint?
Thanks,
Comment From: jgrandja
@kmariappan2016 I'm glad you were able to resolve the issue and obtain the token behind the proxy. I'm not sure why the API endpoint is not being called. I don't think you need to create a new instance of WebClient?
Comment From: kmariappan2016
Thanks, It returns the token endpoint call with 200 OK after that,its not at all calling the API endpoint and gets timed out.
Need to investigate further and hope you would assist if you know something.
Thanks,
Comment From: javakonsult
Hi, I am also running into the same issue. I tried using the proxy enabled WebClient to create custom ReactiveOAuth2AuthorizedClientProvider. Webclient config can be found here: https://github.com/easyRider651/proxy-server-test/blob/main/src/main/java/test/WebClientConfig.java
I'll highly appreciate any help that I can get :) Thank you!