[英]OAuth2 refresh_token logic implementation in spring-security-oauth2
我已經在OAuth2中為該請求成功實現了對新令牌的請求:
curl --request POST --url https://some-autentication-server.com/token --header 'content-type: content-type'
提供的身體為:
{
"grant_type"="password",
"username"="username",
"password"="password"
"client_id"="my-client-id"
}
認證后,資源服務器curl可以通過以下方式訪問:
curl -i -H "authorization: Bearer token-received-from-auth-server" \
-H "accept: application/json" \
-H "request-id: abcdef" \
-H "consent-status: optedIn" \
-X GET https://my-resource-server.com/path
我在Spring Boot中使用的配置是這樣的:
@EnableOAuth2Client
@Configuration
public class OauthClientConfig {
@Bean
public CloseableHttpClient httpClient() throws Exception {
CloseableHttpClient httpClient = null;
try {
httpClient = HttpClientBuilder.create()
.setProxy(new HttpHost("PROXY_HOST_NAME", 3000, "http"))
.build();
} catch (Exception e) {
throw e;
}
return httpClient;
}
@Bean
public ClientHttpRequestFactory clientHttpRequestFactory(CloseableHttpClient httpClient) throws Exception {
ClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory)
.setReadTimeout(10000);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory).setConnectTimeout(10000);
return clientHttpRequestFactory;
}
@Bean
@Qualifier("restTemplate")
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestOperations restTemplate(OAuth2ProtectedResourceDetails oAuth2Resource,
ClientHttpRequestFactory clientHttpRequestFactory, AccessTokenProvider accessTokenProvider)
throws Exception {
Map<String, String[]> map = new HashMap<>();
AccessTokenRequest tokenRequest = new DefaultAccessTokenRequest(map);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(oAuth2Resource,
new DefaultOAuth2ClientContext(tokenRequest));
restTemplate.setRequestFactory(clientHttpRequestFactory);
restTemplate.setAccessTokenProvider(accessTokenProvider);
return restTemplate;
}
@Bean
public AccessTokenProvider accessTokenProvider(ClientHttpRequestFactory clientHttpRequestFactory,
OAuth2ProtectedResourceDetails oAuth2Resource) throws Exception {
ResourceOwnerPasswordAccessTokenProvider accessTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
accessTokenProvider.supportsRefresh(oAuth2Resource);
accessTokenProvider.setRequestFactory(clientHttpRequestFactory);
return new AccessTokenProviderChain(Arrays.<AccessTokenProvider>asList(accessTokenProvider));
}
@Bean
@Qualifier("oAuth2Resource")
public OAuth2ProtectedResourceDetails oAuth2Resource() {
ResourceOwnerPasswordResourceDetails oAuth2Resource = new ResourceOwnerPasswordResourceDetails();
oAuth2Resource.setId("MY_ID");
oAuth2Resource.setAccessTokenUri("TOKEN_URL");
oAuth2Resource.setClientId("TOKEN_CLIENTID");
oAuth2Resource.setClientSecret("TOKEN_CLIENT_SECRET");
oAuth2Resource.setScope(new ArrayList<String>(Arrays.asList(new String[]{"read"})));
oAuth2Resource.setUsername("TOKEN_USERNAME");
oAuth2Resource.setPassword("TOKEN_PAZZWORD");
oAuth2Resource.setTokenName("access_token");
oAuth2Resource.setGrantType("password");
return oAuth2Resource;
}
}
對於新的令牌請求,此方法工作正常,但現在我希望能夠編寫用於實現refresh_token的邏輯。 理想情況下,我想在令牌到期之前存儲令牌,並且一旦令牌到期達到令牌到期時間的大約90%,刷新令牌邏輯就會在身份驗證服務器上運行以刷新令牌。 刷新令牌邏輯將始終在后台運行。 我的問題是如何使用spring-security-oauth2庫實現此邏輯? 該邏輯是否已在庫中實現,還是我必須自己手動編寫該邏輯?
我想在令牌到期之前存儲令牌,並且一旦令牌到期達到令牌到期時間的大約90%,刷新令牌邏輯就會在身份驗證服務器上運行以刷新令牌。
這不符合oauth RFC的要求。
https://tools.ietf.org/html/rfc6749#section-1.5
僅當客戶端從資源服務器收到錯誤消息,即先前的令牌無效時,才使用刷新令牌來獲取新令牌。 在上面的鏈接中查看步驟E至G。
Spring oauth2.0支持按照oauth的流程。 這是我為此找到的博客文章 。
使用帶有OpenID Connect提供程序的spring-security-oauth2客戶端時,如何訪問“id_token”和“refresh_token”?
[英]How to access the “id_token” and “refresh_token” when using spring-security-oauth2 client with OpenID Connect provider?
Spring Security Oauth 2。 在服務器端存儲refresh_token
[英]Spring Security Oauth2. Store refresh_token on server side
如何使用 redis 使用 spring-security-oauth2 來持久化令牌
[英]how to use redis to persist token using spring-security-oauth2
Spring 安全 OAuth2 刷新令牌 - IllegalStateException,需要 UserDetailsService
[英]Spring security OAuth2 Refresh Token - IllegalStateException, UserDetailsService is required
如何使用 Spring Security 5 OAuth2 客戶端和 RestTemplate 刷新 OAuth2 令牌
[英]How to refresh OAuth2 token with Spring Security 5 OAuth2 client and RestTemplate
找不到用於ResourceServerTokenServices的Bean-Spring-Security-Oauth2
[英]No Bean for ResourceServerTokenServices found - Spring-Security-Oauth2
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.