Spring WebClient is not using Proxy for the latest version of spring-security-oauth2-client-5.3.4.RELEASE

[kmariappan2016]

I could not able to connect to OAuth2 Resource behind proxy if I use the latest spring-security-oauth2-client-5.3.4.RELEASE.

I am using the reactor netty httpclient to set the proxy as follows.
HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpClient -> tcpClient.proxy(
proxy -> proxy.type(ProxyProvider.Proxy.HTTP).host(proxyHost).port(Integer.valueOf(port)).build()));
ClientHttpConnector connector = new ReactorClientHttpConnector(httpClient);
return WebClient.builder().clientConnector(connector).filter(oauth2FilterFunction).build();

But if I use spring-security-oauth2-client-5.3.0.RELEASE, I can able to connect via Proxy but the token is not associated with each request.

Advice me if I am doing anything wrong.

[jgrandja]

@kmariappan2016 Based on my understanding, you are not able to call a protected resource using spring-security-oauth2-client 5.3.4 (with proxy configuration). Correct? However, it works in 5.3.0?

If this is the case, what is the difference in your configuration between 5.3.0 and 5.3.4?

[kmariappan2016]

There is no change in configuration(proxy) between 5.3.0 and 5.3.4. I am keeping the same config.
Its not using the proxy config if I migrate to 5.3.4.

Let me know if any further details required.

Thanks,

[jgrandja]

@kmariappan2016 Can you please provide a minimal reproducible sample via a GitHub repo and then I can help troubleshoot.

[kmariappan2016]

Unfortunately I can not provide the code via GitHub as my organization policy blocks it.

I am connecting a resource behind corporate proxy and I have the proxy config as follows using Reactor HTTP Netty.
HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpClient -> tcpClient.proxy(
proxy -> proxy.type(ProxyProvider.Proxy.HTTP).host(proxyHost).port(Integer.valueOf(port)).build()));

	ClientHttpConnector connector = new ReactorClientHttpConnector(httpClient);
	
	return WebClient.builder().clientConnector(connector).filter(oauth2FilterFunction).build();

I thought its netty reactor issue, but if I switch to 5.3.0 of spring webclient it started working.

[jgrandja]

@kmariappan2016 I'm guessing this is not an oauth2-client specific issue since it works in 5.3.0. It might be a reactor issue. However, I will need a minimal sample that reproduces the error in order to confirm. I am not asking you to share your organzation's code, but rather put together a minimal sample that replicates your existing code configuration and it should also reproduce the error. If you cannot provide this then I can't really help troubleshoot.

[kmariappan2016]

Here is the oAuth2 client config.

    @Bean
ReactiveClientRegistrationRepository getRegistration() {
	ClientRegistration registration = ClientRegistration.withRegistrationId("sample client")
			.tokenUri("token url").clientId(clientId).clientSecret(clientSecret)
			.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
			.scope(Arrays.asList(scope.split(":"))).build();
	return new InMemoryReactiveClientRegistrationRepository(registration);
}

@Bean(name = "defaultWebClient")
WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations) {
	InMemoryReactiveOAuth2AuthorizedClientService authorizedClientService = new InMemoryReactiveOAuth2AuthorizedClientService(
			clientRegistrations);
	ServerOAuth2AuthorizedClientExchangeFilterFunction oauth2FilterFunction = new ServerOAuth2AuthorizedClientExchangeFilterFunction(
			new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations,
					authorizedClientService));

	oauth2FilterFunction.setDefaultClientRegistrationId("sample client");
	HttpClient httpClient = HttpClient.create().tcpConfiguration(tcpClient -> tcpClient.proxy(
			proxy -> proxy.type(ProxyProvider.Proxy.HTTP).host("proxyhostname").port(Integer.valueOf(port number)).build()));
	ClientHttpConnector connector = new ReactorClientHttpConnector(httpClient);
	return WebClient.builder().clientConnector(connector).filter(oauth2FilterFunction).build();
}

If you try to invoke API endppont, I am getting the error as its not taking the proxy config.

Note. I raised with Reactor Netty Team and had a troubleshoot session.If its netty issue, it should not work with even 5.3.0 RELEASE

[jgrandja]

@kmariappan2016 As mentioned in this comment, I need a minimal reproducible sample via a GitHub repo that I can clone and reproduce with minimal effort on my end.

[kmariappan2016]

I will upload the details in a day with GitHub and provide you the link.
The prerequisite is you should have the oauth resources behind the proxy and hope you would be knowin this too.

Thanks,

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[kmariappan2016]

Hi,
I have added the sample code repo to simulate the issue
Please find the URL :
https://github.com/kmariappan2016/spring-web-client.git

[jgrandja]

@kmariappan2016 The sample you provided does not reproduce the issue and it wasn't complete. I had to add @EnableScheduling in SpringKafkaApplication and @Scheduled(fixedDelay = 1000) at ServiceHandler.getCMSurveys() in order to test this out.

The WebClient @Bean injected in ServiceHandler is the same one configured in ConfluentKafkaConfig and I verified the object references are the same for ReactorClientHttpConnector and ServerOAuth2AuthorizedClientExchangeFilterFunction. The configuration is correct.

Although I don't see any reproducible issue here, this is not related to spring-security-oauth2-client and instead is either a reactor issue or WebClient. If you are still having an issue please log it with Spring Framework issues.

[jgrandja]

@kmariappan2016 I now see the issue with your configuration in ConfluentKafkaConfig.

The AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager needs to be customized before passing it to ServerOAuth2AuthorizedClientExchangeFilterFunction.

Here is the custom configuration for AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager:

WebClient webClient = ...     \\ TODO: Configure the `WebClient` with the `ClientHttpConnector`

AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager =
		new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
				clientRegistrations, authorizedClientService);
authorizedClientManager.setAuthorizedClientProvider(createAuthorizedClientProvider(webClient));

Make sure the ReactiveOAuth2AuthorizedClientProvider is using the customized WebClient:

private ReactiveOAuth2AuthorizedClientProvider createAuthorizedClientProvider(WebClient webClient) {
	WebClientReactiveClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient
			= new WebClientReactiveClientCredentialsTokenResponseClient();
	clientCredentialsTokenResponseClient.setWebClient(webClient);

	return ReactiveOAuth2AuthorizedClientProviderBuilder.builder()
			.clientCredentials(builder -> builder.accessTokenResponseClient(clientCredentialsTokenResponseClient))
			.build();
}

This should solve your issue.

[kmariappan2016]

Sure,I will try and update here. Thanks much

[kmariappan2016]

It seems it get token behind proxy.but API endpoint is never getting called.Should I create another instance of Webclient to call the actual API endpoint?

Thanks,

[jgrandja]

@kmariappan2016 I'm glad you were able to resolve the issue and obtain the token behind the proxy. I'm not sure why the API endpoint is not being called. I don't think you need to create a new instance of WebClient?

[kmariappan2016]

Thanks, It returns the token endpoint call with 200 OK after that,its not at all calling the API endpoint and gets timed out.

Need to investigate further and hope you would assist if you know something.

Thanks,

[javakonsult]

Hi, I am also running into the same issue. I tried using the proxy enabled WebClient to create custom ReactiveOAuth2AuthorizedClientProvider. Webclient config can be found here: https://github.com/easyRider651/proxy-server-test/blob/main/src/main/java/test/WebClientConfig.java

I'll highly appreciate any help that I can get :)
Thank you!