[英]How to refresh OAuth2 token with Spring Security 5 OAuth2 client and RestTemplate
Spring Security 5.1.0.M2 ( release notes ) added support for automatic refreshing of tokens when using WebClient
. Spring Security 5.1.0.M2( 发行说明)在使用
WebClient
时添加了对令牌自动刷新的支持。 However, I am using RestTemplate
.但是,我正在使用
RestTemplate
。 Is there a similar mechanism for RestTemplate
or do I need to implement that behavior myself? RestTemplate
是否有类似的机制,还是我需要自己实现该行为?
The OAuth2RestTemplate
class looks promising but it's from the separate Spring Security OAuth module and I would like to use plain Spring Security 5.1 on the client if possible. OAuth2RestTemplate
类看起来很有前途,但它来自单独的 Spring Security OAuth 模块,如果可能的话,我想在客户端上使用普通的 Spring Security 5.1。
OAuth2RestTemplate
Will refresh tokens automatically. OAuth2RestTemplate
将自动刷新令牌。 RestTemplate
will not (refresh tokens is part of the OAut2 spec, hence the OAuth2RestTemplate. RestTemplate
不会(刷新令牌是 OAuth2 规范的一部分,因此 OAuth2RestTemplate.
You have 2 options:您有 2 个选择:
Spring's OAuth2 module will be integrated into Spring Security in the future. Spring 的 OAuth2 模块将来会集成到 Spring Security 中。 I would go for option 1.
我会选择选项 1。
OAuth2RestTemplate
should be used instead of RestTemplate
when JWT authentication is required. OAuth2RestTemplate
应改为使用的RestTemplate
时,需要JWT认证。 You can set AccessTokenProvider
to it, which will tell how the JWT token will be retrieved: oAuth2RestTemplate.setAccessTokenProvider(new MyAccessTokenProvider());
您可以将
AccessTokenProvider
设置为它,它将告诉如何检索 JWT 令牌: oAuth2RestTemplate.setAccessTokenProvider(new MyAccessTokenProvider());
In class implementing AccessTokenProvider
you need to implement obtainAccessToken
and refreshAccessToken
methods.在实现
AccessTokenProvider
类中,您需要实现obtainAccessToken
和refreshAccessToken
方法。 So in obtainAccessToken
method it can be checked if token is expired, and if it is - token is retrieved through refreshAccessToken
.因此,在
obtainAccessToken
令牌方法中,可以检查令牌是否已过期,如果是 - 通过refreshAccessToken
检索令牌。 Sample implementation (without the details of actual token retrieval and refreshing):示例实现(没有实际令牌检索和刷新的细节):
public class MyAccessTokenProvider implements AccessTokenProvider {
@Override
public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest parameters)
throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException {
if (parameters.getExistingToken() != null && parameters.getExistingToken().isExpired()) {
return refreshAccessToken(details, parameters.getExistingToken().getRefreshToken(), parameters);
}
OAuth2AccessToken retrievedAccessToken = null;
//TODO access token retrieval
return retrievedAccessToken;
}
@Override
public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
return false;
}
@Override
public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resource,
OAuth2RefreshToken refreshToken, AccessTokenRequest request)
throws UserRedirectRequiredException {
OAuth2AccessToken refreshedAccessToken = null;
//TODO refresh access token
return refreshedAccessToken;
}
@Override
public boolean supportsRefresh(OAuth2ProtectedResourceDetails resource) {
return true;
}
}
Did not find a way for Spring to call the refreshAccessToken
automatically, if someone knows how to do that - please share.没有找到 Spring 自动调用
refreshAccessToken
,如果有人知道如何做到这一点 - 请分享。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.