[英]Spring OAuth2 server cannot refresh token with Resource owner credentials (password) grant flow
I have configured an OAuth2 authorisation server with spring security oauth, using jwt tokens:我已经使用 jwt 令牌配置了一个带有 spring security oauth 的 OAuth2 授权服务器:
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
...
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Bean
public TokenStore tokenStore() {
var jwtTokenStore = new JwtTokenStore(tokenConverter());
jwtTokenStore.setApprovalStore(approvalStore());
return jwtTokenStore;
}
@Bean
public JwtAccessTokenConverter tokenConverter() {
var converter = new JwtAccessTokenConverter();
var keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource(jwtKeyStore), jwtKeyPass.toCharArray());
converter.setKeyPair(keyStoreKeyFactory.getKeyPair("jwtkey"));
return converter;
}
}
There is a client that has password
and refresh_token
grants.有一个具有
password
和refresh_token
授权的客户端。 I can get access and refresh tokens with the following request:我可以通过以下请求获取访问和刷新令牌:
curl --request POST \
--url 'http://localhost:8080/oauth/token?grant_type=password&scope=read' \
--header 'authorization: Basic <xxxxxxx>' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'username=xxxxxxx&password=xxxxxxx'
Response:回复:
{
"access_token": "<long access token>",
"token_type": "bearer",
"refresh_token": "<long refresh token>",
"expires_in": 599,
"scope": "read",
"subject": "xxx",
"jti": "xxx"
}
However, when I try to refresh the token, I get an error Invalid refresh token
.但是,当我尝试刷新令牌时,出现错误
Invalid refresh token
。 Further debugging into Spring codes I see that on the first request, it doesn't insert a row into oauth_approvals
table.进一步调试 Spring 代码我看到,在第一个请求中,它没有在
oauth_approvals
表中插入一行。 And on the second request (refreshing the token) it thinks that the user has not approved the scope (although I have autoapprove=true
).在第二个请求(刷新令牌)时,它认为用户没有批准范围(尽管我有
autoapprove=true
)。
This is not the case with implicit
or authorization_code
grant flow: in those cases it does insert a row into oauth_approvals
table, and the token is refreshed successfully.这不是
implicit
或authorization_code
授权流的情况:在这些情况下,它确实在oauth_approvals
表中插入了一行,并且令牌被成功刷新。
Is this a bug in Spring OAuth or is there any workaround?这是 Spring OAuth 中的错误还是有任何解决方法?
After digging more into Spring's codes, I came to conclusion that this is indeed a bug there.在深入研究 Spring 的代码之后,我得出结论,这确实是一个错误。 So I extended
JdbcApprovalStore
and used that one instead.所以我扩展了
JdbcApprovalStore
并使用了那个。 Here is pseudo-code这是伪代码
public class JdbcApprovalStoreAutoApprove extends JdbcApprovalStore {
...
@Override
public List<Approval> getApprovals(String userName, String clientId) {
if (client has auto approved scopes) {
return those scopes;
}
return super.getApprovals(userName, clientId);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.