I'm using Spring+Oauth2 to secure a web sevice and I've added a custom grant type (custom-grant):
<bean id="myTokenGranter" class="com.example.oauth2.MyTokenGranter" />
<oauth:authorization-server client-details-service-ref="client-details-service" token-services-ref="tokenServices">
<oauth:refresh-token/>
<oauth:password/>
<oauth:custom-grant token-granter-ref="myTokenGranter" />
</oauth:authorization-server>
Spring calls implementation just fine. However I don't know how I should actually generate a token here. I see that they use a class called "RandomValueStringGenerator" but I'm not sure if there's no better way, moreover I don't know how to generate a "good" token as how long it should be or if spring checks the token's uniqueness actually etc. Is there a way I can call Spring's own generator part here?
Here is my tokengranter class now:
public class MyTokenGranter implements TokenGranter {
private RandomValueStringGenerator generator = new RandomValueStringGenerator();
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
//...logic added here later
return new DefaultOAuth2AccessToken(generator.generate());
}
}
I can't find a good example of this and there is only a half-implemented test tokengranter in spring ouath2 sources.
Okay, so this can be done with org.springframework.security.oauth2.provider.token.AbstractTokenGranter actually, either by copying it or trying to pass the proper constructors. I just post it for anyone who has the same problem. You can also extend AbstractTokenGranter but I failed to pass the proper constructors
Here is my implementation:
public class MyTokenGranter implements TokenGranter {
@Autowired
private AuthorizationServerTokenServices tokenService;
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private DefaultOAuth2RequestFactory defaultOauth2RequestFactory;
private String grantType;
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
if (!this.grantType.equals(grantType)) {
return null;
}
String clientId = tokenRequest.getClientId();
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
validateGrantType(grantType, client);
return getAccessToken(client, tokenRequest);
}
protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
return tokenService.createAccessToken(getOAuth2Authentication(client, tokenRequest));
}
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
OAuth2Request storedOAuth2Request = defaultOauth2RequestFactory.createOAuth2Request(client, tokenRequest);
return new OAuth2Authentication(storedOAuth2Request, null);
}
protected void validateGrantType(String grantType, ClientDetails clientDetails) {
Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
&& !authorizedGrantTypes.contains(grantType)) {
throw new InvalidClientException("Unauthorized grant type: " + grantType);
}
}
public String getGrantType() {
return grantType;
}
public void setGrantType(String grantType) {
this.grantType = grantType;
}
}
Xml config:
<bean id="myTokenGranter" class="com.example.MyTokenGranter">
<property name="grantType" value="custom-grant" />
</bean>
<oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
<oauth:refresh-token/>
<oauth:password/>
<oauth:custom-grant token-granter-ref="myTokenGranter" />
</oauth:authorization-server>
More just an FYI but the constructor-arg can be used if you extend the AbstractTokenGranter. For example:
public class MyTokenGranter extends AbstractTokenGranter
{
private static final String GRANT_TYPE = "custom-grant";
protected MyTokenGranter(
AuthorizationServerTokenServices tokenServices,
ClientDetailsService clientDetailsService )
{
super( tokenServices, clientDetailsService, GRANT_TYPE );
}
@Override
protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken)
{
throw new RuntimeException( "Not implemented" );
}
}
and
<bean id="myTokenGranter" class="com.example.MyTokenGranter">
<constructor-arg ref="tokenServices"/>
<constructor-arg ref="clientDetailsService"/>
</bean>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.