oauth2自动刷新令牌

Question

I have a spring boot controller, that invokes a service on wso2. (sends an identity and receives a token for further communication). I am looking for a way to auto-refresh the token on the spring boot side (because the invocation of the service on wso2 is not done by a browser, but rather by another service). So, on the spring boot side, how can I achieve that? I understand that I should check the expiration date of the access_token and use the refresh_token to receive a new access_token, but is there some library that does that or do I have to code this logic myself? Also, when running my app on multiple instances of spring boot, how do I prevent the token being refreshed from one instance and invalidating the token on another instance, using the same token?

Answer 1

OAuth2 provides five grants for acquiring the access token. One of them is the refresh token grant which is used to obtain a new access token after the client has been authorized for access and the token already expires. In the refresh token grant, the client sends a POST request to the authorization server with the following parameters:

grant_type=refresh_token&client_id=your_client_id&client_secret=your_client_secret &refresh_token=your_refresh_token_from_the_first_grant

The auth url should be same the first time you obtain the token. For auto-refreshing the token, you can catch for HttpClientErrorException when you access the resource server and check if the status code is HttpStatus.UNAUTHORIZED . If it is, then send request for new token.

try {
    response = getRestTemplate().exchange...
} catch (HttpClientErrorException e) {
    if (e.getStatusCode().equals(HttpStatus.UNAUTHORIZED))
        //code to refresh the token or throw custom exception...
}catch (Exception e) {
    //
}

For multiple instances of the client, this might help you: Spring Oauth2 - multiple tokens per client id

I have not verified it but essentially it uses the scope in the post parameter to generate a different token for the same client_id.