Summary
We should provide a simple way to integrate OAuth support with RestTemplate. This support would be similar to the WebClient support, but for RestTemplate.
The WebClient extension for Servlet-based applications is ServletOAuth2AuthorizedClientExchangeFilterFunction.
See the sample oauth2webclient and how to configure and use it.
There are a few tasks involved in order to reach feature parity between ServletOAuth2AuthorizedClientExchangeFilterFunction and RestTemplate support. Here is a break-down of the tasks involved.
- [ ] User should be able to set the current client using either an
OAuth2AuthorizedClientorclientRegistrationId - [ ] Each request should contain the
Authorizationheader withBearer <access-token>for the currentOAuth2AuthorizedClient - [ ] Get a new access token if it's not available for the current
clientRegistrationId - [ ] Refresh an expired access token - applicable to
authorization_codegrant clients - [ ] Get a new access token when current token expired - applicable to
client_credentialsgrant clients - [ ] Add clock skew support for access token expiry time
Comment From: jgrandja
Partial support for RestTemplate has been added in 5.1.
See Token Request/Response and UserInfo Request/Response.
Comment From: rwinch
This ticket is to track support of RestTempalte supporting something similar to WebClient. I have reopened this and updated the description to make that more clear
Comment From: L7R7
@jgrandja @rwinch I was pointed to this issue while looking for a way to implement an OAuth2 client using the client credentials flow in combination with RestTemplate. I'm curious if this might be something I could contribute to. What do you think could be possible concrete steps?
Comment From: jgrandja
@L7R7 Thanks for your interest. It would be great if you can help here.
The one main thing that needs to get ironed out before we put too much effort here is the fact that RestTemplate does not support request-level attributes like the way that WebClient via ExchangeFilterFunction and ClientRequest.attributes() does.
The ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId() allows the "current clientRegistrationId" to be set for the next request, which is the same type of functionality we would need for RestTemplate support. However, this is not possible via RestTemplate and the ClientHttpRequestInterceptor that would house this feature. Maybe there is another way? If you would like to spend some time here and see if there is another solution that would be great. The one thing we want to avoid is creating a new instance of ClientHttpRequestInterceptor per-request. We want to leverage the one instance of ClientHttpRequestInterceptor but it needs to know how to resolve the "current clientRegistrationId".
Comment From: L7R7
Ok, I think I got the problem. I'm not familiar with the internals of RestTemplate nand ClientHttpRequestInterceptor, so I will have to dig through the code and see what I can come up with.
Comment From: alexcrownus
Is there still a plan to implement this or the focus would now be on the new RestClient in Spring 6.1? @jgrandja
Comment From: jgrandja
@alexcrownus We would likely focus on the new RestClient, however, this issue is still lower priority as there are other features that are higher priority.
Comment From: rasifix
@jgrandja now that RestClient is available, what is the status of this? are there plans to support this now? This would be super useful for us as there are quirks (related to reactive nature) when using WebClients which we could avoid.
Comment From: jgrandja
Closing in favour of gh-13588
Comment From: jgrandja
@rasifix gh-13588 supersedes this issue so I closed this. As far as status goes, quite honestly, there are a few higher priority items at the moment so I don't have a timeline on when this will be scheduled for a release.