Spring OAuth2 服务器无法使用资源所有者凭据(密码)授予流程刷新令牌
[英]Spring OAuth2 server cannot refresh token with Resource owner credentials (password) grant flow
问题描述
I have configured an OAuth2 authorisation server with spring security oauth, using jwt tokens:
我已经使用 jwt 令牌配置了一个带有 spring security oauth 的 OAuth2 授权服务器:
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
...
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Bean
public TokenStore tokenStore() {
var jwtTokenStore = new JwtTokenStore(tokenConverter());
jwtTokenStore.setApprovalStore(approvalStore());
return jwtTokenStore;
}
@Bean
public JwtAccessTokenConverter tokenConverter() {
var converter = new JwtAccessTokenConverter();
var keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource(jwtKeyStore), jwtKeyPass.toCharArray());
converter.setKeyPair(keyStoreKeyFactory.getKeyPair("jwtkey"));
return converter;
}
}
There is a client that has password and refresh_token grants.有一个具有password和refresh_token授权的客户端。 I can get access and refresh tokens with the following request:我可以通过以下请求获取访问和刷新令牌:
curl --request POST \
--url 'http://localhost:8080/oauth/token?grant_type=password&scope=read' \
--header 'authorization: Basic <xxxxxxx>' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'username=xxxxxxx&password=xxxxxxx'
Response:回复:
{
"access_token": "<long access token>",
"token_type": "bearer",
"refresh_token": "<long refresh token>",
"expires_in": 599,
"scope": "read",
"subject": "xxx",
"jti": "xxx"
}
However, when I try to refresh the token, I get an error Invalid refresh token .但是,当我尝试刷新令牌时,出现错误Invalid refresh token 。 Further debugging into Spring codes I see that on the first request, it doesn't insert a row into oauth_approvals table.进一步调试 Spring 代码我看到,在第一个请求中,它没有在oauth_approvals表中插入一行。 And on the second request (refreshing the token) it thinks that the user has not approved the scope (although I have autoapprove=true ).在第二个请求(刷新令牌)时,它认为用户没有批准范围(尽管我有autoapprove=true )。
This is not the case with implicit or authorization_code grant flow: in those cases it does insert a row into oauth_approvals table, and the token is refreshed successfully.这不是implicit或authorization_code授权流的情况:在这些情况下,它确实在oauth_approvals表中插入了一行,并且令牌被成功刷新。
Is this a bug in Spring OAuth or is there any workaround?这是 Spring OAuth 中的错误还是有任何解决方法?
1 个解决方案
解决方案1
1 已采纳 2019-01-03 12:58:49
After digging more into Spring's codes, I came to conclusion that this is indeed a bug there.在深入研究 Spring 的代码之后,我得出结论,这确实是一个错误。 So I extended JdbcApprovalStore and used that one instead.所以我扩展了JdbcApprovalStore并使用了那个。 Here is pseudo-code这是伪代码
public class JdbcApprovalStoreAutoApprove extends JdbcApprovalStore {
...
@Override
public List<Approval> getApprovals(String userName, String clientId) {
if (client has auto approved scopes) {
return those scopes;
}
return super.getApprovals(userName, clientId);
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.