spring-security-oauth2中的OAuth2 refresh_token逻辑实现
[英]OAuth2 refresh_token logic implementation in spring-security-oauth2
问题描述
I have successfully implemented the request for new token in OAuth2 for this request: 
我已经在OAuth2中为该请求成功实现了对新令牌的请求:
curl --request POST --url https://some-autentication-server.com/token --header 'content-type: content-type'
with the body provided as: 提供的身体为:
{
"grant_type"="password",
"username"="username",
"password"="password"
"client_id"="my-client-id"
}
After the authentication the resource server curl can be accessed as: 认证后,资源服务器curl可以通过以下方式访问:
curl -i -H "authorization: Bearer token-received-from-auth-server" \
-H "accept: application/json" \
-H "request-id: abcdef" \
-H "consent-status: optedIn" \
-X GET https://my-resource-server.com/path
The configuration I've used in Spring Boot is this: 我在Spring Boot中使用的配置是这样的:
@EnableOAuth2Client
@Configuration
public class OauthClientConfig {
@Bean
public CloseableHttpClient httpClient() throws Exception {
CloseableHttpClient httpClient = null;
try {
httpClient = HttpClientBuilder.create()
.setProxy(new HttpHost("PROXY_HOST_NAME", 3000, "http"))
.build();
} catch (Exception e) {
throw e;
}
return httpClient;
}
@Bean
public ClientHttpRequestFactory clientHttpRequestFactory(CloseableHttpClient httpClient) throws Exception {
ClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory)
.setReadTimeout(10000);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory).setConnectTimeout(10000);
return clientHttpRequestFactory;
}
@Bean
@Qualifier("restTemplate")
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestOperations restTemplate(OAuth2ProtectedResourceDetails oAuth2Resource,
ClientHttpRequestFactory clientHttpRequestFactory, AccessTokenProvider accessTokenProvider)
throws Exception {
Map<String, String[]> map = new HashMap<>();
AccessTokenRequest tokenRequest = new DefaultAccessTokenRequest(map);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(oAuth2Resource,
new DefaultOAuth2ClientContext(tokenRequest));
restTemplate.setRequestFactory(clientHttpRequestFactory);
restTemplate.setAccessTokenProvider(accessTokenProvider);
return restTemplate;
}
@Bean
public AccessTokenProvider accessTokenProvider(ClientHttpRequestFactory clientHttpRequestFactory,
OAuth2ProtectedResourceDetails oAuth2Resource) throws Exception {
ResourceOwnerPasswordAccessTokenProvider accessTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
accessTokenProvider.supportsRefresh(oAuth2Resource);
accessTokenProvider.setRequestFactory(clientHttpRequestFactory);
return new AccessTokenProviderChain(Arrays.<AccessTokenProvider>asList(accessTokenProvider));
}
@Bean
@Qualifier("oAuth2Resource")
public OAuth2ProtectedResourceDetails oAuth2Resource() {
ResourceOwnerPasswordResourceDetails oAuth2Resource = new ResourceOwnerPasswordResourceDetails();
oAuth2Resource.setId("MY_ID");
oAuth2Resource.setAccessTokenUri("TOKEN_URL");
oAuth2Resource.setClientId("TOKEN_CLIENTID");
oAuth2Resource.setClientSecret("TOKEN_CLIENT_SECRET");
oAuth2Resource.setScope(new ArrayList<String>(Arrays.asList(new String[]{"read"})));
oAuth2Resource.setUsername("TOKEN_USERNAME");
oAuth2Resource.setPassword("TOKEN_PAZZWORD");
oAuth2Resource.setTokenName("access_token");
oAuth2Resource.setGrantType("password");
return oAuth2Resource;
}
}
This works fine for the new token request, but now I want to be able to write a logic for implementing the refresh_token . 对于新的令牌请求,此方法工作正常,但现在我希望能够编写用于实现refresh_token的逻辑。 Ideally, I want to store the tokens before it's expiry time and as soon as the token expiry reaches to about 90% of its expiry time, the refresh token logic would run hit the authentication server to refresh the token. 理想情况下,我想在令牌到期之前存储令牌,并且一旦令牌到期达到令牌到期时间的大约90%,刷新令牌逻辑就会在身份验证服务器上运行以刷新令牌。 The refresh token logic would run in the background all the time. 刷新令牌逻辑将始终在后台运行。 My question is how to implement this logic using the spring-security-oauth2 library? 我的问题是如何使用spring-security-oauth2库实现此逻辑? Is this logic already implemented in the library or do I have to manually write the logic myself? 该逻辑是否已在库中实现,还是我必须自己手动编写该逻辑?
1 个解决方案
解决方案1
4 2018-07-12 07:40:12
I want to store the tokens before it's expiry time and as soon as the token expiry reaches to about 90% of its expiry time, the refresh token logic would run hit the authentication server to refresh the token.
This is not according to oauth RFC . 这不符合oauth RFC的要求。
https://tools.ietf.org/html/rfc6749#section-1.5 https://tools.ietf.org/html/rfc6749#section-1.5
Only Once client gets an error from the resource server that the previous token is not valid , refresh token is used to get new token . 仅当客户端从资源服务器收到错误消息,即先前的令牌无效时,才使用刷新令牌来获取新令牌。 Look at steps E to G in the above link . 在上面的链接中查看步骤E至G。
The Spring oauth2.0 supports the flow as per oauth . Spring oauth2.0支持按照oauth的流程。 Here is blog post which I found regarding that . 这是我为此找到的博客文章 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.