Provide an OAuth2 Token to a Feign Client – 向Feign客户端提供OAuth2令牌

最后修改: 2022年 2月 17日

1. Overview


OpenFeign is a declarative REST client that we can use in Spring Boot applications. Let’s assume that we have a REST API secured using OAuth2, and we want to invoke it using OpenFeign. In this situation, we’ll need to provide an access token with OpenFeign.

OpenFeign是一个声明式REST客户端,我们可以在Spring Boot应用程序中使用。让我们假设我们有一个使用OAuth2安全的REST API,并且我们希望使用OpenFeign来调用它。在这种情况下,我们需要用OpenFeign提供一个访问令牌。

In this tutorial, we’ll describe how to add OAuth2 support to the OpenFeign client.


2. Service to Service Authentication


The service to service authentication is a popular topic in API security. We can use mTLS or JWT to provide an authentication mechanism for a REST API. However, the OAuth2 protocol is the defacto solution to protect the APIs. Let’s say we want to call a secure service (server role) using another service (client role). In this scenario, we use the client credential grant type. We usually use client credentials for authentication between two APIs or systems with no end-user. The below figure shows the main actors in this grant type:

服务到服务的认证是API安全中的一个热门话题。我们可以使用mTLSJWT来为REST API提供一个认证机制。然而,OAuth2协议是保护API的事实上的解决方案。假设我们想使用另一个服务(客户角色)来调用一个安全服务(服务器角色)。在这种情况下,我们使用客户凭证授予类型。我们通常使用客户端凭证来进行两个API之间的认证或没有最终用户的系统。下图显示了这种授予类型中的主要角色。

openfeign client credential1

In client credentials, the client service obtains an access token from the authorization server using the token endpoint. It then uses the access token to access resources protected by a resource server. The resource server validates the access token, and if valid, serves the request.


2.1. Authorization Server


Let’s set up an authorization server for issuing access tokens. To keep things simple for now, we’ll be using Keycloak embedded in a Spring Boot application. Let’s assume that we use the authorization server project available on GitHub. First, we define the payment-app client in realm master in our embedded Keycloak server:

让我们来设置一个授权服务器来发行访问令牌。为了保持简单,我们将使用嵌入Spring Boot应用程序中的Keycloak。让我们假设我们使用授权服务器项目可在GitHub上获得。首先,我们在嵌入式Keycloak服务器的境界master中定义payment-app客户端。

openfeign payment client1

We set the Access Type to credential and enable the Service Accounts Enabled option. Then, we export the realm details as feign-realm.json and set the realm file in our application-feign.yml:

我们将Access Type设置为credential,并启用Service Accounts Enabled选项。然后,我们将境界细节导出为feign-realm.json,并在application-feign.yml中设置境界文件。

    contextPath: /auth
      username: bael-admin
      password: pass
    realmImportFile: feign-realm.json

Now, the authorization server is ready. Finally, we can run the application using the – option. Since we’re focusing on the OpenFeign OAuth2 support in this tutorial, we don’t need to dive any deeper into it.

现在,授权服务器已经准备好了。最后,我们可以使用选项来运行该应用程序。由于我们在本教程中专注于OpenFeign OAuth2的支持,我们不需要再深入研究。

2.2. Resource Server


Now that we’ve configured the authorization server, let’s set up the resource server. For that, we’ll use the resource server project available on GitHub. First, we add the Payment class as a resource:

现在我们已经配置了授权服务器,让我们来设置资源服务器为此,我们将使用资源服务器项目在 GitHub上提供。首先,我们添加Payment类作为资源。

public class Payment {

    private String id;
    private double amount;

   // standard getters and setters

Then, we declare an API in PaymentController class:


public class PaymentController {

    public List<Payment> getPayments() {
        List<Payment> payments = new ArrayList<>();
        for(int i = 1; i < 6; i++){
            Payment payment = new Payment();
        return payments;


The getPayments() API returns a list of payments. Also, we configure the resource server in our application-feign.yml file:

getPayments() API返回一个付款列表。另外,我们在application-feign.yml文件中配置了资源服务器。

          issuer-uri: http://localhost:8083/auth/realms/master

Now, the getPayments() API is secure using the OAuth2 authorization server, and we must provide a valid access token for invoking this API:

现在,getPayments() API使用OAuth2授权服务器是安全的,我们必须提供一个有效的访问令牌来调用这个API。

curl --location --request POST 'http://localhost:8083/auth/realms/master/protocol/openid-connect/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=payment-app' \
  --data-urlencode 'client_secret=863e9de4-33d4-4471-b35e-f8d2434385bb' \
  --data-urlencode 'grant_type=client_credentials'

After getting the access token, we set it in the Authorization header of the request:


curl --location --request GET 'http://localhost:8081/resource-server-jwt/payments' \
  --header 'Authorization: Bearer Access_Token' 

Now, we want to call the secure API using OpenFeign instead of cURL or Postman.


3. OpenFeign Client


3.1. Dependencies

3.1. 依赖性

To use the Spring Cloud OpenFeign for invoking the secure API, we’ll need to add the spring-cloud-starter-openfeign to our pom.xml file:

为了使用Spring Cloud OpenFeign来调用安全API,我们需要将spring-cloud-starter-openfeign加入我们的pom.xml文件。


Additionally, we need to add the spring-cloud-dependencies to the pom.xml:



3.2. Configuration


First, we need to add @EnableFeignClients to our main class:


public class ExampleApplication {
    public static void main(String[] args) {, args);

Then, we define the PaymentClient interface for invoking the getPayments() API. Also, we need to add @FeignClient to our PaymentClient interface:

然后,我们定义PaymentClient接口,用于调用getPayments() API。此外,我们需要将@FeignClient添加到我们的PaymentClient接口。

  name = "payment-client", 
  url = "http://localhost:8081/resource-server-jwt", 
  configuration = OAuthFeignConfig.class)
public interface PaymentClient {

    @RequestMapping(value = "/payments", method = RequestMethod.GET)
    List<Payment> getPayments();

We set the url according to the address of the resource server. In this case, the main parameter of the @FeignClient is the configuration attribute that supports OAuth2 for OpenFeign. After that, we define a PaymentController class and inject PaymentClient into it:


public class PaymentController {

    private final PaymentClient paymentClient;

    public PaymentController(PaymentClient paymentClient) {
        this.paymentClient = paymentClient;

    public List<Payment> getPayments() {
        List<Payment> payments = paymentClient.getPayments();
        return payments;

4. OAuth2 Support


4.1. Dependencies

4.1. 依赖性

To add the OAuth2 support to Spring Cloud OpenFeign, we’ll need to add the spring-security-oauth2-client and spring-boot-starter-security to our pom.xml file:

为了向Spring Cloud OpenFeign添加OAuth2支持,我们需要将spring-security-oauth2-clientspring-boot-start-security添加到我们的pom.xml文件。


4.2. Configuration


Now, we want to create a configuration. The idea is to get and add an access token to the OpenFeign request. The interceptors can perform this task for every HTTP request/response. Adding interceptors is a useful feature provided by Feign. We’ll use a RequestInterceptor, which injects the OAuth2 access token into the request of the OpenFeign client by adding an Authorization Bearer header. Let’s define the OAuthFeignConfig configuration class and define the requestInterceptor() bean:

现在,我们要创建一个配置。这个想法是为了获取并向OpenFeign请求添加访问令牌。 拦截器可以对每个HTTP请求/响应执行这个任务。添加拦截器是Feign提供的一个有用的功能。我们将使用一个RequestInterceptor,它通过添加授权承载头将OAuth2访问令牌注入OpenFeign客户端的请求中。让我们定义OAuthFeignConfig配置类并定义requestInterceptor()bean。

public class OAuthFeignConfig {

    public static final String CLIENT_REGISTRATION_ID = "keycloak";

    private final OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
    private final ClientRegistrationRepository clientRegistrationRepository;

    public OAuthFeignConfig(OAuth2AuthorizedClientService oAuth2AuthorizedClientService,
      ClientRegistrationRepository clientRegistrationRepository) {
        this.oAuth2AuthorizedClientService = oAuth2AuthorizedClientService;
        this.clientRegistrationRepository = clientRegistrationRepository;

    public RequestInterceptor requestInterceptor() {
        ClientRegistration clientRegistration = clientRegistrationRepository.findByRegistrationId(CLIENT_REGISTRATION_ID);
        OAuthClientCredentialsFeignManager clientCredentialsFeignManager =
          new OAuthClientCredentialsFeignManager(authorizedClientManager(), clientRegistration);
        return requestTemplate -> {
            requestTemplate.header("Authorization", "Bearer " + clientCredentialsFeignManager.getAccessToken());

In the requestInterceptor() bean, we use the ClientRegistration and OAuthClientCredentialsFeignManager classes to register the oauth2 client and get an access token from the authorization server. To do this, we need to define the oauth2 client properties in our file:

requestInterceptor() Bean中,我们使用ClientRegistrationOAuthClientCredentialsFeignManager类来注册oauth2客户端并从授权服务器获得访问令牌。要做到这一点,我们需要在application.properties文件中定义oauth2客户端属性。

Let’s create the OAuthClientCredentialsFeignManager class and define the getAccessToken() method:


public String getAccessToken() {
    try {
        OAuth2AuthorizeRequest oAuth2AuthorizeRequest = OAuth2AuthorizeRequest
        OAuth2AuthorizedClient client = manager.authorize(oAuth2AuthorizeRequest);
        if (isNull(client)) {
            throw new IllegalStateException("client credentials flow on " + clientRegistration.getRegistrationId() + " failed, client is null");
        return client.getAccessToken().getTokenValue();
    } catch (Exception exp) {
        logger.error("client credentials error " + exp.getMessage());
    return null;

We use OAuth2AuthorizeRequest and OAuth2AuthorizedClient classes for getting the access token from the authorization server. Now for every request, the OpenFeign interceptor manages the oauth2 client and adds the access token to the request.


5. Test


To test the OpenFeign client, let’s create the PaymentClientUnitTest class:


public class PaymentClientUnitTest {

    private PaymentClient paymentClient;

    public void whenGetPayment_thenListPayments() {
        List<Payment> payments = paymentClient.getPayments();

In this test, we call the getPayments() API. The PaymentClient under the hood connects to the OAuth2 client and gets an access token using the interceptor.

在这个测试中,我们调用getPayments() API。引擎盖下的PaymentClient连接到OAuth2客户端,并使用拦截器获得一个访问令牌。

6. Conclusion


In this article, we set up the required environment for invoking a secure API. Then, we configure the OpenFeign to call the secure API through a practical example. For this, we add and configure the interceptor to OpenFeign. The interceptor manages the OAuth2 client and adds the access token to the request.


As always, the full source code of this tutorial is available over on GitHub. Additionally, the resource and authorization server source code is available over on GitHub.