Search code examples
javaspring-bootspring-securityspring-webfluxspring-authorization-server

Spring OAuth2 Authorization Server + Spring WebFlux

I'm trying to rewrite existing OAuth2 authorization service using Spring Boot 3.0.2 and newly released Spring OAuth2 Authorization Server 1.0.0. Faced a trouble combing objects from Reactive Security and Standard Security libraries: unable to apply default security to OAuth2AuthorizationServerConfiguration class, because it's not applicable to reactive ServerHttpSecurity.

Code part

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityWebFilterChain authServerSecurityFilterChain(ServerHttpSecurity http) throws Exception {
    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
    http
        .formLogin()
        ...;

    return http.build();
}

Can't pass HttpSecurity to applyDefaultSecurity() method. Tried to find any reactive implementations of OAuth2AuthorizationServerConfiguration class but found nothing.

Is there any way to convert ServerHttpSecurity to HttpSecurity? Or Spring OAuth2 Authorization Server is completely incompatible with reactive approach?

Main dependencies of Maven pom.xml

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <version>1.0.0</version>
</dependency>

Thanks is advance.

UPD

Searched badly. Seems like it's not supported yet:

https://github.com/spring-projects/spring-authorization-server/issues/152

Or there are still some ways make it work?

Solution

  • Official answer:

    We are strictly focusing on a Servlet implementation for the initial set of features that would qualify for a MVP version. We haven't decided whether we'll provide a WebFlux version at this point.

    Quite honestly, I'm not convinced it's needed. The client and resource server(s) are the most active, whereas, the authorization server is not as active as it simply issues a token and may validate a token, which is limited activity between the many interactions that follow between a client and resource server after a token is issued.

    Either way, I'm going to close this issue as WebFlux is not on the roadmap as of now.

    Source - https://github.com/spring-projects/spring-authorization-server/issues/152