[英]refresh token is null using Spring Security OAuth2
I am trying to integrate Google OAuth 2 using Spring Security. 我正在尝试使用Spring Security集成Google OAuth 2。 Everything works well, but refresh_token is null. 一切正常,但refresh_token为null。
Here is my config: 这是我的配置:
@Bean public OAuth2ProtectedResourceDetails googleOAuth2Details() { AuthorizationCodeResourceDetails googleOAuth2Details = new AuthorizationCodeResourceDetails(); googleOAuth2Details.setAuthenticationScheme(form); googleOAuth2Details.setClientAuthenticationScheme(form); googleOAuth2Details.setClientId(googleClientId); googleOAuth2Details.setClientSecret(googleClientSecret); googleOAuth2Details.setUserAuthorizationUri(googleOAuthUri); googleOAuth2Details.setAccessTokenUri(googleTokenUrl); googleOAuth2Details.setScope(asList("openid","email")); return googleOAuth2Details; }
I read that in order to get refresh_token, access_type has to be "offline". 我读到为了获得refresh_token,access_type必须为“ offline”。 But what is the way to set it in Spring? 但是在Spring中设置它的方法是什么?
I'm afraid that ' access_type ' param is not in scope of OAUTH2 Authorization (RFC 6749) and Spring doesn't have it by default, so you need to add it manually. 恐怕' access_type '参数不在OAUTH2授权(RFC 6749)的范围内,Spring默认情况下没有它,因此您需要手动添加它。 Unfortunately I don't now correct way to do it right now, but I think that ' OAuth2RestTemplate#getAccessToken ' is a good place to start the investigation. 不幸的是,我现在不正确地执行此操作,但是我认为“ OAuth2RestTemplate#getAccessToken ”是开始调查的好地方。
Try this: you may add the parameter "hard-configured" to googleOAuthUri
, so: 试试看:您可以将参数“ hard-configured”添加到googleOAuthUri
,所以:
googleOAuthUri = googleOAuthUri + "?access_type=offline";
googleOAuth2Details.setUserAuthorizationUri(googleOAuthUri);
and hopefully Spring does the right thing when adding the other parameters. 并希望Spring在添加其他参数时做正确的事情。
Also be aware that the refresh_token
is only returned the first time that a user grants access to your client. 另请注意,仅在用户第一次授予对您的客户端的访问权限时才返回refresh_token
。 Subsequent authorization requests will not produce a new refresh_token
since it is assumed that your client has stored that from the first request. 后续的授权请求将不会产生新的refresh_token
因为假定您的客户端已存储了第一个请求中的内容。
You can create customizing implementation of OAuth2AuthorizationRequestResolver
and add additionalParameters(..)
with "access_type"="offline"
as described at Spring security documentation . 您可以创建OAuth2AuthorizationRequestResolver
自定义实现,并按照Spring安全性文档中的说明添加带有"access_type"="offline"
的OAuth2AuthorizationRequestResolver
additionalParameters(..)
。
@EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
private final ClientRegistrationRepository clientRegistrationRepository;
public OAuth2LoginSecurityConfig(ClientRegistrationRepository clientRegistrationRepository) {
this.clientRegistrationRepository = clientRegistrationRepository;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.authorizationEndpoint()
.authorizationRequestResolver(
new CustomAuthorizationRequestResolver(
this.clientRegistrationRepository));
}
}
public class CustomAuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {
private final OAuth2AuthorizationRequestResolver defaultAuthorizationRequestResolver;
public CustomAuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository) {
this.defaultAuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
}
@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
final OAuth2AuthorizationRequest authorizationRequest = this.defaultAuthorizationRequestResolver.resolve(request);
return authorizationRequest != null ? customAuthorizationRequest(authorizationRequest) : null;
}
@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId) {
final OAuth2AuthorizationRequest authorizationRequest = this.defaultAuthorizationRequestResolver.resolve(request, clientRegistrationId);
return authorizationRequest != null ? customAuthorizationRequest(authorizationRequest) : null;
}
private OAuth2AuthorizationRequest customAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest) {
Map<String, Object> additionalParameters = new LinkedHashMap<>(authorizationRequest.getAdditionalParameters());
additionalParameters.put("access_type", "offline");
return OAuth2AuthorizationRequest.from(authorizationRequest)
.additionalParameters(additionalParameters)
.build();
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.