stackoom
  简体   繁体   中英

Spring Security and OAuth2 generate token with custom grant type

 原文  2015-03-13 14:01:22       java/ spring/ spring-security/ spring-security-oauth2

Question

I'm using Spring+Oauth2 to secure a web sevice and I've added a custom grant type (custom-grant): 

<bean id="myTokenGranter" class="com.example.oauth2.MyTokenGranter" />

<oauth:authorization-server client-details-service-ref="client-details-service" token-services-ref="tokenServices">
    <oauth:refresh-token/>
    <oauth:password/>
    <oauth:custom-grant token-granter-ref="myTokenGranter" />
</oauth:authorization-server>

Spring calls implementation just fine. However I don't know how I should actually generate a token here. I see that they use a class called "RandomValueStringGenerator" but I'm not sure if there's no better way, moreover I don't know how to generate a "good" token as how long it should be or if spring checks the token's uniqueness actually etc. Is there a way I can call Spring's own generator part here?

Here is my tokengranter class now: 

public class MyTokenGranter implements TokenGranter {

private RandomValueStringGenerator generator = new RandomValueStringGenerator();

@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
    //...logic added here later
    return new DefaultOAuth2AccessToken(generator.generate());
}

}

I can't find a good example of this and there is only a half-implemented test tokengranter in spring ouath2 sources.

2 answers

solution1
 1  2015-03-13 14:44:26

Okay, so this can be done with org.springframework.security.oauth2.provider.token.AbstractTokenGranter actually, either by copying it or trying to pass the proper constructors. I just post it for anyone who has the same problem. You can also extend AbstractTokenGranter but I failed to pass the proper constructors

Here is my implementation: 

public class MyTokenGranter implements TokenGranter {

@Autowired
private AuthorizationServerTokenServices tokenService;

@Autowired
private ClientDetailsService clientDetailsService;

@Autowired
private DefaultOAuth2RequestFactory defaultOauth2RequestFactory;

private String grantType;

@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
    if (!this.grantType.equals(grantType)) {
        return null;
    }
    String clientId = tokenRequest.getClientId();
    ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
    validateGrantType(grantType, client);
    return getAccessToken(client, tokenRequest);
}

protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
    return tokenService.createAccessToken(getOAuth2Authentication(client, tokenRequest));
}

protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
    OAuth2Request storedOAuth2Request = defaultOauth2RequestFactory.createOAuth2Request(client, tokenRequest);
    return new OAuth2Authentication(storedOAuth2Request, null);
}

protected void validateGrantType(String grantType, ClientDetails clientDetails) {
    Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
    if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
            && !authorizedGrantTypes.contains(grantType)) {
        throw new InvalidClientException("Unauthorized grant type: " + grantType);
    }
}

public String getGrantType() {
    return grantType;
}

public void setGrantType(String grantType) {
    this.grantType = grantType;
}

}

Xml config: 

<bean id="myTokenGranter" class="com.example.MyTokenGranter">
  <property name="grantType" value="custom-grant" />
</bean>
<oauth:authorization-server client-details-service-ref="clientDetailsService" token-services-ref="tokenServices">
    <oauth:refresh-token/>
    <oauth:password/>
    <oauth:custom-grant token-granter-ref="myTokenGranter" />
</oauth:authorization-server>

solution2
 0  2015-11-17 21:41:40

More just an FYI but the constructor-arg can be used if you extend the AbstractTokenGranter. For example: 

public class MyTokenGranter extends AbstractTokenGranter
{
    private static final String GRANT_TYPE = "custom-grant";

    protected MyTokenGranter(
            AuthorizationServerTokenServices tokenServices,
            ClientDetailsService clientDetailsService )
    {
        super( tokenServices, clientDetailsService, GRANT_TYPE );
    }

    @Override
    protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) 
    {
        throw new RuntimeException( "Not implemented" );
    }
}

and 

<bean id="myTokenGranter" class="com.example.MyTokenGranter">
    <constructor-arg ref="tokenServices"/>
    <constructor-arg ref="clientDetailsService"/>
</bean>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security Oauth2 token error: “Missing grant type” Spring security oauth2 : grant_type=password Authentication Spring OAuth2 custom grant type autowiring a class returns null oAuth2 client with password grant in Spring Security Spring Security 5 Spring MVC Oauth 2 Password grant type not returning token with /oauth/token Spring Boot 2 Spring-Security 5 OAuth2 support for client_credentials grant_type Spring generate oauth2 access token programmatically grant_type in Spring-Security-OAuth2 Using my custom External Login with spring boot oauth2 (authorization grant type)? Spring Security OAuth2 custom success user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM