Update demo-client sample

Author: jgrandja

samples/demo-client/samples-demo-client.gradle

@@ -22,10 +22,8 @@ dependencies {
 	implementation "org.springframework.boot:spring-boot-starter-thymeleaf"
 	implementation "org.springframework.boot:spring-boot-starter-security"
 	implementation "org.springframework.boot:spring-boot-starter-oauth2-client"
-	implementation "org.springframework:spring-webflux"
-	implementation "io.projectreactor.netty:reactor-netty"
 	implementation "org.apache.httpcomponents.client5:httpclient5"
-	implementation "org.webjars:webjars-locator-core"
+	implementation "org.webjars:webjars-locator-lite"
 	implementation "org.webjars:bootstrap:5.2.3"
 	implementation "org.webjars:popper.js:2.9.3"
 	implementation "org.webjars:jquery:3.6.4"

samples/demo-client/src/main/java/sample/authorization/DeviceCodeOAuth2AuthorizedClientProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 the original author or authors.
+ * Copyright 2020-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,8 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.util.Assert;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 /**
  * @author Steve Riesenberg
@@ -107,7 +109,16 @@ private boolean hasTokenExpired(OAuth2Token token) {
 	public static Function<OAuth2AuthorizeRequest, Map<String, Object>> deviceCodeContextAttributesMapper() {
 		return (authorizeRequest) -> {
 			HttpServletRequest request = authorizeRequest.getAttribute(HttpServletRequest.class.getName());
-			Assert.notNull(request, "request cannot be null");
+			if (request == null) {
+				ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder
+						.getRequestAttributes();
+				if (requestAttributes != null) {
+					request = requestAttributes.getRequest();
+				}
+			}
+			if (request == null) {
+				return Collections.emptyMap();
+			}
 
 			// Obtain device code from request
 			String deviceCode = request.getParameter(OAuth2ParameterNames.DEVICE_CODE);

samples/demo-client/src/main/java/sample/authorization/OAuth2DeviceAccessTokenResponseClient.java

@@ -40,6 +40,7 @@ public final class OAuth2DeviceAccessTokenResponseClient implements OAuth2Access
 	private RestClient restClient;
 
 	public OAuth2DeviceAccessTokenResponseClient() {
+		// @formatter:off
 		this.restClient = RestClient.builder()
 				.messageConverters((messageConverters) -> {
 					messageConverters.clear();
@@ -48,6 +49,7 @@ public OAuth2DeviceAccessTokenResponseClient() {
 				})
 				.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
 				.build();
+		// @formatter:on
 	}
 
 	public void setRestClient(RestClient restClient) {

samples/demo-client/src/main/java/sample/config/RestClientConfig.java

@@ -28,13 +28,33 @@
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.config.Registry;
 import org.apache.hc.core5.http.config.RegistryBuilder;
+import sample.authorization.DeviceCodeOAuth2AuthorizedClientProvider;
 
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundles;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.client.ClientHttpRequestFactory;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.http.converter.FormHttpMessageConverter;
+import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
+import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
+import org.springframework.security.oauth2.client.endpoint.RestClientClientCredentialsTokenResponseClient;
+import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.client.OAuth2ClientHttpRequestInterceptor;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.client.RestClient;
 
 /**
  * @author Joe Grandja
@@ -43,6 +63,91 @@
 @Configuration(proxyBeanMethods = false)
 public class RestClientConfig {
 
+	@Bean("default-client-rest-client")
+	public RestClient defaultClientRestClient(
+			OAuth2AuthorizedClientRepository authorizedClientRepository,
+			OAuth2AuthorizedClientManager authorizedClientManager,
+			@Qualifier("default-client-http-request-factory") Supplier<ClientHttpRequestFactory> clientHttpRequestFactory) {
+
+		OAuth2ClientHttpRequestInterceptor requestInterceptor =
+				new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
+		OAuth2AuthorizationFailureHandler authorizationFailureHandler =
+				OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientRepository);
+		requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
+		// @formatter:off
+		return RestClient.builder()
+				.requestFactory(clientHttpRequestFactory.get())
+				.requestInterceptor(requestInterceptor)
+				.build();
+		// @formatter:on
+	}
+
+	@Bean("self-signed-demo-client-rest-client")
+	public RestClient selfSignedDemoClientRestClient(
+			ClientRegistrationRepository clientRegistrationRepository,
+			OAuth2AuthorizedClientRepository authorizedClientRepository,
+			@Qualifier("self-signed-demo-client-http-request-factory") Supplier<ClientHttpRequestFactory> clientHttpRequestFactory) {
+
+		RestClient restClient = accessTokenRestClient(clientHttpRequestFactory);
+
+		// @formatter:off
+		OAuth2AuthorizedClientProvider authorizedClientProvider =
+				OAuth2AuthorizedClientProviderBuilder.builder()
+						.clientCredentials(clientCredentials ->
+								clientCredentials.accessTokenResponseClient(
+										createClientCredentialsTokenResponseClient(restClient)))
+						.build();
+		// @formatter:on
+
+		DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
+				clientRegistrationRepository, authorizedClientRepository);
+		authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+
+		OAuth2ClientHttpRequestInterceptor requestInterceptor =
+				new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
+		OAuth2AuthorizationFailureHandler authorizationFailureHandler =
+				OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientRepository);
+		requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
+
+		// @formatter:off
+		return RestClient.builder()
+				.requestFactory(clientHttpRequestFactory.get())
+				.requestInterceptor(requestInterceptor)
+				.build();
+		// @formatter:on
+	}
+
+	@Bean
+	public OAuth2AuthorizedClientManager authorizedClientManager(
+			ClientRegistrationRepository clientRegistrationRepository,
+			OAuth2AuthorizedClientRepository authorizedClientRepository,
+			@Qualifier("default-client-http-request-factory") Supplier<ClientHttpRequestFactory> clientHttpRequestFactory) {
+
+		RestClient restClient = accessTokenRestClient(clientHttpRequestFactory);
+
+		// @formatter:off
+		OAuth2AuthorizedClientProvider authorizedClientProvider =
+				OAuth2AuthorizedClientProviderBuilder.builder()
+						.authorizationCode()
+						.refreshToken()
+						.clientCredentials(clientCredentials ->
+								clientCredentials.accessTokenResponseClient(
+										createClientCredentialsTokenResponseClient(restClient)))
+						.provider(new DeviceCodeOAuth2AuthorizedClientProvider())
+						.build();
+		// @formatter:on
+
+		DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
+				clientRegistrationRepository, authorizedClientRepository);
+		authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+
+		// Set a contextAttributesMapper to obtain device_code from the request
+		authorizedClientManager.setContextAttributesMapper(DeviceCodeOAuth2AuthorizedClientProvider
+				.deviceCodeContextAttributesMapper());
+
+		return authorizedClientManager;
+	}
+
 	@Bean("default-client-http-request-factory")
 	Supplier<ClientHttpRequestFactory> defaultClientHttpRequestFactory(SslBundles sslBundles) {
 		return () -> {
@@ -82,4 +187,34 @@ Supplier<ClientHttpRequestFactory> selfSignedDemoClientHttpRequestFactory(SslBun
 		};
 	}
 
+	private static RestClient accessTokenRestClient(Supplier<ClientHttpRequestFactory> clientHttpRequestFactory) {
+		// @formatter:off
+		return RestClient.builder()
+				.requestFactory(clientHttpRequestFactory.get())
+				.messageConverters((messageConverters) -> {
+					messageConverters.clear();
+					messageConverters.add(new FormHttpMessageConverter());
+					messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
+				})
+				.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
+				.build();
+		// @formatter:on
+
+	}
+
+	private static OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> createClientCredentialsTokenResponseClient(
+			RestClient restClient) {
+		RestClientClientCredentialsTokenResponseClient clientCredentialsTokenResponseClient =
+				new RestClientClientCredentialsTokenResponseClient();
+		clientCredentialsTokenResponseClient.addParametersConverter(authorizationGrantRequest -> {
+			MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
+			// client_id parameter is required for tls_client_auth method
+			parameters.add(OAuth2ParameterNames.CLIENT_ID, authorizationGrantRequest.getClientRegistration().getClientId());
+			return parameters;
+		});
+		clientCredentialsTokenResponseClient.setRestClient(restClient);
+
+		return clientCredentialsTokenResponseClient;
+	}
+
 }

samples/demo-client/src/main/java/sample/config/SecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2024 the original author or authors.
+ * Copyright 2020-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,7 +19,6 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.web.SecurityFilterChain;
@@ -37,19 +36,14 @@
 @Configuration(proxyBeanMethods = false)
 public class SecurityConfig {
 
-	@Bean
-	public WebSecurityCustomizer webSecurityCustomizer() {
-		return (web) -> web.ignoring().requestMatchers("/webjars/**", "/assets/**");
-	}
-
 	// @formatter:off
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http,
 			ClientRegistrationRepository clientRegistrationRepository) throws Exception {
 		http
 			.authorizeHttpRequests(authorize ->
 				authorize
-					.requestMatchers("/jwks", "/logged-out").permitAll()
+					.requestMatchers("/webjars/**", "/assets/**", "/jwks", "/logged-out").permitAll()
 					.anyRequest().authenticated()
 			)
 			.oauth2Login(oauth2Login ->