Add OAuth + RestTemplate support

[rwinch]

Summary

We should provide a simple way to integrate OAuth support with RestTemplate. This support would be similar to the WebClient support, but for RestTemplate.

The WebClient extension for Servlet-based applications is ServletOAuth2AuthorizedClientExchangeFilterFunction.

See the sample oauth2webclient and how to configure and use it.

There are a few tasks involved in order to reach feature parity between ServletOAuth2AuthorizedClientExchangeFilterFunction and RestTemplate support. Here is a break-down of the tasks involved.

• User should be able to set the current client using either an OAuth2AuthorizedClient or clientRegistrationId
• Each request should contain the Authorization header with Bearer <access-token> for the current OAuth2AuthorizedClient
• Get a new access token if it's not available for the current clientRegistrationId
• Refresh an expired access token - applicable to authorization_code grant clients
• Get a new access token when current token expired - applicable to client_credentials grant clients
• Add clock skew support for access token expiry time

[jgrandja]

Partial support for RestTemplate has been added in 5.1.
See Token Request/Response and UserInfo Request/Response.

[rwinch]

This ticket is to track support of RestTempalte supporting something similar to WebClient. I have reopened this and updated the description to make that more clear

[L7R7]

@jgrandja @rwinch I was pointed to this issue while looking for a way to implement an OAuth2 client using the client credentials flow in combination with RestTemplate. I'm curious if this might be something I could contribute to. What do you think could be possible concrete steps?

[jgrandja]

@L7R7 Thanks for your interest. It would be great if you can help here.

The one main thing that needs to get ironed out before we put too much effort here is the fact that RestTemplate does not support request-level attributes like the way that WebClient via ExchangeFilterFunction and ClientRequest.attributes() does.

The ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId() allows the "current clientRegistrationId" to be set for the next request, which is the same type of functionality we would need for RestTemplate support. However, this is not possible via RestTemplate and the ClientHttpRequestInterceptor that would house this feature. Maybe there is another way? If you would like to spend some time here and see if there is another solution that would be great. The one thing we want to avoid is creating a new instance of ClientHttpRequestInterceptor per-request. We want to leverage the one instance of ClientHttpRequestInterceptor but it needs to know how to resolve the "current clientRegistrationId".

[L7R7]

Ok, I think I got the problem. I'm not familiar with the internals of RestTemplate nand ClientHttpRequestInterceptor, so I will have to dig through the code and see what I can come up with.

[alexcrownus]

Is there still a plan to implement this or the focus would now be on the new RestClient in Spring 6.1? @jgrandja

[jgrandja]

@alexcrownus We would likely focus on the new RestClient, however, this issue is still lower priority as there are other features that are higher priority.

[rasifix]

@jgrandja now that RestClient is available, what is the status of this? are there plans to support this now? This would be super useful for us as there are quirks (related to reactive nature) when using WebClients which we could avoid.

[jgrandja]

Closing in favour of gh-13588

[jgrandja]

@rasifix gh-13588 supersedes this issue so I closed this. As far as status goes, quite honestly, there are a few higher priority items at the moment so I don't have a timeline on when this will be scheduled for a release.