Migrates token relay from spring-cloud-gateway-server-security.

It moves it to spring-cloud-gateway-server

See gh-1975

Author: spencergibb

docs/src/main/asciidoc/spring-cloud-gateway.adoc

@@ -1644,14 +1644,12 @@ it is proxying. To add this functionlity to gateway you need to add the
 .App.java
 [source,java]
 ----
-@Autowired
-private TokenRelayGatewayFilterFactory filterFactory;
 
 @Bean
 public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
     return builder.routes()
             .route("resource", r -> r.path("/resource")
-                    .filters(f -> f.filter(filterFactory.apply()))
+                    .filters(f -> f.tokenRelay())
                     .uri("http://localhost:9000"))
             .build();
 }
@@ -1680,7 +1678,7 @@ pass the authentication token downstream to the services (in this case
 
 To enable this for Spring Cloud Gateway add the following dependencies
 
-- `org.springframework.cloud:spring-cloud-gateway-server-security`
+- `org.springframework.boot:spring-boot-starter-oauth2-client`
 
 How does it work?  The
 {githubmaster}/src/main/java/org/springframework/cloud/gateway/security/TokenRelayGatewayFilterFactory.java[filter]
@@ -1689,6 +1687,8 @@ and puts it in a request header for the downstream requests.
 
 For a full working sample see https://github.com/spring-cloud-samples/sample-gateway-oauth2login[this project].
 
+NOTE: A `TokenRelayGatewayFilterFactory` bean will only be created if the proper `spring.security.oauth2.client.*` properties are set which will trigger creation of a `ReactiveClientRegistrationRepository` bean.
+
 NOTE: The default implementation of `ReactiveOAuth2AuthorizedClientService` used by `TokenRelayGatewayFilterFactory`
 uses an in-memory data store.  You will need to provide your own implementation `ReactiveOAuth2AuthorizedClientService`
 if you need a more robust solution.

spring-cloud-gateway-server-security/pom.xml

@@ -27,6 +27,11 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-validation</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-client</artifactId>
+			<optional>true</optional>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-actuator</artifactId>

spring-cloud-gateway-server-security/src/main/java/org/springframework/cloud/gateway/security/TokenRelayAutoConfiguration.java

@@ -45,6 +45,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.NoneNestedConditions;
+import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.autoconfigure.web.embedded.NettyWebServerFactoryCustomizer;
 import org.springframework.boot.autoconfigure.web.reactive.HttpHandlerAutoConfiguration;
@@ -96,6 +97,7 @@
 import org.springframework.cloud.gateway.filter.factory.SetResponseHeaderGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.SetStatusGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.StripPrefixGatewayFilterFactory;
+import org.springframework.cloud.gateway.filter.factory.TokenRelayGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.rewrite.GzipMessageBodyResolver;
 import org.springframework.cloud.gateway.filter.factory.rewrite.MessageBodyDecoder;
 import org.springframework.cloud.gateway.filter.factory.rewrite.MessageBodyEncoder;
@@ -148,6 +150,14 @@
 import org.springframework.core.convert.ConversionService;
 import org.springframework.core.env.Environment;
 import org.springframework.http.codec.ServerCodecConfigurer;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
+import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProviderBuilder;
+import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultReactiveOAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
+import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.Validator;
@@ -831,4 +841,31 @@ static class VerboseDisabled {
 
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnProperty(name = "spring.cloud.gateway.enabled", matchIfMissing = true)
+	@ConditionalOnClass({ OAuth2AuthorizedClient.class, SecurityWebFilterChain.class, SecurityProperties.class })
+	@ConditionalOnEnabledFilter(TokenRelayGatewayFilterFactory.class)
+	@ConditionalOnBean(ReactiveClientRegistrationRepository.class)
+	protected static class TokenRelayConfiguration {
+
+		@Bean
+		public TokenRelayGatewayFilterFactory tokenRelayGatewayFilterFactory(
+				ReactiveOAuth2AuthorizedClientManager clientManager) {
+			return new TokenRelayGatewayFilterFactory(clientManager);
+		}
+
+		@Bean
+		public ReactiveOAuth2AuthorizedClientManager gatewayReactiveOAuth2AuthorizedClientManager(
+				ReactiveClientRegistrationRepository clientRegistrationRepository,
+				ServerOAuth2AuthorizedClientRepository authorizedClientRepository) {
+			ReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
+					.builder().authorizationCode().refreshToken().build();
+			DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(
+					clientRegistrationRepository, authorizedClientRepository);
+			authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+			return authorizedClientManager;
+		}
+
+	}
+
 }

spring-cloud-gateway-server-security/src/main/resources/META-INF/spring.factories

@@ -14,24 +14,21 @@
  * limitations under the License.
  */
 
-package org.springframework.cloud.gateway.security;
+package org.springframework.cloud.gateway.filter.factory;
 
 import reactor.core.publisher.Mono;
 
 import org.springframework.cloud.gateway.filter.GatewayFilter;
-import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
 import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
-import org.springframework.stereotype.Component;
 import org.springframework.web.server.ServerWebExchange;
 
 /**
  * @author Joe Grandja
  */
-@Component
 public class TokenRelayGatewayFilterFactory extends AbstractGatewayFilterFactory<Object> {
 
 	private final ReactiveOAuth2AuthorizedClientManager clientManager;

spring-cloud-gateway-server-security/src/test/java/org/springframework/cloud/gateway/security/TokenRelayAutoConfigurationTests.java

@@ -67,6 +67,7 @@
 import org.springframework.cloud.gateway.filter.factory.SetStatusGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.SpringCloudCircuitBreakerFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.StripPrefixGatewayFilterFactory;
+import org.springframework.cloud.gateway.filter.factory.TokenRelayGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.rewrite.ModifyRequestBodyGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.rewrite.ModifyResponseBodyGatewayFilterFactory;
 import org.springframework.cloud.gateway.filter.factory.rewrite.RewriteFunction;
@@ -700,6 +701,21 @@ public GatewayFilterSpec setRequestHeaderSize(DataSize size) {
 		return filter(getBean(RequestHeaderSizeGatewayFilterFactory.class).apply(c -> c.setMaxSize(size)));
 	}
 
+	/**
+	 * A filter that enables token relay.
+	 * @return a {@link GatewayFilterSpec} that can be used to apply additional filters
+	 */
+	public GatewayFilterSpec tokenRelay() {
+		try {
+			return filter(getBean(TokenRelayGatewayFilterFactory.class).apply(o -> {
+			}));
+		}
+		catch (NoSuchBeanDefinitionException e) {
+			throw new IllegalStateException("No TokenRelayGatewayFilterFactory bean was found. Did you include the "
+					+ "org.springframework.boot:spring-boot-starter-oauth2-client dependency?");
+		}
+	}
+
 	/**
 	 * Adds hystrix execution exception headers to fallback request. Depends on @{code
 	 * org.springframework.cloud::spring-cloud-starter-netflix-hystrix} being on the