How to handle OAuth webclient exceptions

Question

I am pretty new to Spring and have been trying to catch unauthorized exceptions when authentication to a server by OAUTH. I don't understand why the method handleResponseError() doesn't catch the exception.

The stacktrace I get is:

org.springframework.security.oauth2.client.ClientAuthorizationException: [invalid_client] Client authentication failed
    at org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider.lambda$authorize$0(ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java:82)
    Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
    |_ checkpoint ⇢ Request to GET https://localhost:8181/catalog/NL/brands?language_code=nl [DefaultWebClient]
Stack trace:
        at org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider.lambda$authorize$0(ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java:82)
        at reactor.core.publisher.Mono.lambda$onErrorMap$29(Mono.java:3272)
        at reactor.core.publisher.Mono.lambda$onErrorResume$31(Mono.java:3362)
        at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:88)
        at reactor.core.publisher.FluxHide$SuppressFuseableSubscriber.onError(FluxHide.java:132)
        at reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:185)
        at reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:251)
        at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onError(FluxMapFuseable.java:134)
        at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onError(FluxMapFuseable.java:134)
        at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:135)
        at reactor.core.publisher.FluxMap$MapSubscriber.onNext(FluxMap.java:114)
        at reactor.core.publisher.FluxSwitchIfEmpty$SwitchIfEmptySubscriber.onNext(FluxSwitchIfEmpty.java:67)
        at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onNext(FluxOnErrorResume.java:73)
        at reactor.core.publisher.Operators$MonoSubscriber.complete(Operators.java:1782)
        at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:144)

The code to authenticate to the server:

  @Bean
  public WebClient myClient() {
    InMemoryReactiveClientRegistrationRepository clientRegistryRepo = new InMemoryReactiveClientRegistrationRepository(getClientRegistration());
    InMemoryReactiveOAuth2AuthorizedClientService clientService = new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistryRepo);
    AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager authorizedClientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistryRepo, clientService);
    ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFilter = new ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);

    oauthFilter.setDefaultClientRegistrationId(OAUTH_PROVIDER_NAME);

    return WebClient.builder()
        .clientConnector(new JettyClientHttpConnector(createHttpClient()))
        .exchangeStrategies(getMaxMessageInMemorySize(maxInMemorySize))
        .baseUrl(baseURL)
        .filter(oauthFilter)
        .filter(handleResponseError())
        .build();
  }

  private static ExchangeFilterFunction handleResponseError() {
    return ExchangeFilterFunction.ofResponseProcessor(
        response -> response.statusCode().isError() ?
            response.bodyToMono(String.class)
                .flatMap(errorBody -> Mono.error(new MyUnAuthorizedRequestException(response.statusCode().name(), errorBody, ""))) :
            Mono.just(response));
  }

I have looked at various examples:

• How to set the access token once during the instanciation of the webClient in spring webflux?
• https://www.baeldung.com/spring-webclient-oauth2

I catch all the other exceptions using @ControllerAdvice. Is that the correct way to handle this?

Answer 1

I found the solution:

 .... omitted
 ServerOAuth2AuthorizedClientExchangeFilterFunction oauthFilter = new 
 ServerOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
    oauthFilter.setDefaultClientRegistrationId(OAUTH_PROVIDER_NAME);

    return WebClient.builder()
        .clientConnector(new JettyClientHttpConnector(createHttpClient()))
        .exchangeStrategies(getMaxMessageInMemorySize(maxInMemorySize))
        .baseUrl(baseURL)
        .filter(oauthFilter)
        .build();
  }


  private ReactiveOAuth2AuthorizationFailureHandler getReactiveOAuth2AuthorizationFailureHandler() {
    final ReactiveOAuth2AuthorizationFailureHandler reactiveOAuth2AuthorizationFailureHandler = (authorizationException, principal, attributes) -> {
      if (authorizationException instanceof ClientAuthorizationException) {
        ClientAuthorizationException clientAuthorizationException = (ClientAuthorizationException)authorizationException;
        return Mono.error(new MyUnAuthorizedRequestException("401","Could not authorize client", clientAuthorizationException.getMessage()));
      } else {
        return Mono.empty();
      }
    };
    return reactiveOAuth2AuthorizationFailureHandler;
  }