如何使用 Spring Security 5 OAuth2 客户端和 RestTemplate 刷新 OAuth2 令牌
[英]How to refresh OAuth2 token with Spring Security 5 OAuth2 client and RestTemplate
问题描述
Spring Security 5.1.0.M2 ( release notes ) added support for automatic refreshing of tokens when using WebClient . 
Spring Security 5.1.0.M2( 发行说明)在使用WebClient时添加了对令牌自动刷新的支持。 However, I am using RestTemplate .但是,我正在使用RestTemplate 。 Is there a similar mechanism for RestTemplate or do I need to implement that behavior myself? RestTemplate是否有类似的机制,还是我需要自己实现该行为?
The OAuth2RestTemplate class looks promising but it's from the separate Spring Security OAuth module and I would like to use plain Spring Security 5.1 on the client if possible. OAuth2RestTemplate类看起来很有前途,但它来自单独的 Spring Security OAuth 模块,如果可能的话,我想在客户端上使用普通的 Spring Security 5.1。
2 个解决方案
解决方案1
7 已采纳 2018-10-02 13:42:16
OAuth2RestTemplate Will refresh tokens automatically. OAuth2RestTemplate将自动刷新令牌。 RestTemplate will not (refresh tokens is part of the OAut2 spec, hence the OAuth2RestTemplate. RestTemplate不会(刷新令牌是 OAuth2 规范的一部分,因此 OAuth2RestTemplate.
You have 2 options:您有 2 个选择:
- Use Spring Security OAuth2 module and everything will work pretty much out of the box (configuration properties provided by Spring)使用 Spring Security OAuth2 模块,一切都会开箱即用(Spring 提供的配置属性)
- Create your own RestTemplate based on Spring's OAut2RestTemplate基于 Spring 的 OAuth2RestTemplate 创建你自己的 RestTemplate
Spring's OAuth2 module will be integrated into Spring Security in the future. Spring 的 OAuth2 模块将来会集成到 Spring Security 中。 I would go for option 1.我会选择选项 1。
解决方案2
1 2019-11-28 09:02:47
OAuth2RestTemplate should be used instead of RestTemplate when JWT authentication is required. OAuth2RestTemplate应改为使用的RestTemplate时,需要JWT认证。 You can set AccessTokenProvider to it, which will tell how the JWT token will be retrieved: oAuth2RestTemplate.setAccessTokenProvider(new MyAccessTokenProvider());您可以将AccessTokenProvider设置为它,它将告诉如何检索 JWT 令牌: oAuth2RestTemplate.setAccessTokenProvider(new MyAccessTokenProvider());
In class implementing AccessTokenProvider you need to implement obtainAccessToken and refreshAccessToken methods.在实现AccessTokenProvider类中,您需要实现obtainAccessToken和refreshAccessToken方法。 So in obtainAccessToken method it can be checked if token is expired, and if it is - token is retrieved through refreshAccessToken .因此,在obtainAccessToken令牌方法中,可以检查令牌是否已过期,如果是 - 通过refreshAccessToken检索令牌。 Sample implementation (without the details of actual token retrieval and refreshing):示例实现(没有实际令牌检索和刷新的细节):
public class MyAccessTokenProvider implements AccessTokenProvider {
@Override
public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest parameters)
throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException {
if (parameters.getExistingToken() != null && parameters.getExistingToken().isExpired()) {
return refreshAccessToken(details, parameters.getExistingToken().getRefreshToken(), parameters);
}
OAuth2AccessToken retrievedAccessToken = null;
//TODO access token retrieval
return retrievedAccessToken;
}
@Override
public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
return false;
}
@Override
public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resource,
OAuth2RefreshToken refreshToken, AccessTokenRequest request)
throws UserRedirectRequiredException {
OAuth2AccessToken refreshedAccessToken = null;
//TODO refresh access token
return refreshedAccessToken;
}
@Override
public boolean supportsRefresh(OAuth2ProtectedResourceDetails resource) {
return true;
}
}
Did not find a way for Spring to call the refreshAccessToken automatically, if someone knows how to do that - please share.没有找到 Spring 自动调用refreshAccessToken ,如果有人知道如何做到这一点 - 请分享。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.