我已成功在OAuth2中为此请求实施了新令牌请求:
curl --request POST --url https://some-autentication-server.com/token --header 'content-type: content-type'
身体提供为:
{
"grant_type"="password",
"username"="username",
"password"="password"
"client_id"="my-client-id"
}
在身份验证之后,可以访问资源服务器curl:
curl -i -H "authorization: Bearer token-received-from-auth-server" \
-H "accept: application/json" \
-H "request-id: abcdef" \
-H "consent-status: optedIn" \
-X GET https://my-resource-server.com/path
我在Spring Boot中使用的配置是这样的:
@EnableOAuth2Client
@Configuration
public class OauthClientConfig {
@Bean
public CloseableHttpClient httpClient() throws Exception {
CloseableHttpClient httpClient = null;
try {
httpClient = HttpClientBuilder.create()
.setProxy(new HttpHost("PROXY_HOST_NAME", 3000, "http"))
.build();
} catch (Exception e) {
throw e;
}
return httpClient;
}
@Bean
public ClientHttpRequestFactory clientHttpRequestFactory(CloseableHttpClient httpClient) throws Exception {
ClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory)
.setReadTimeout(10000);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory).setConnectTimeout(10000);
return clientHttpRequestFactory;
}
@Bean
@Qualifier("restTemplate")
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestOperations restTemplate(OAuth2ProtectedResourceDetails oAuth2Resource,
ClientHttpRequestFactory clientHttpRequestFactory, AccessTokenProvider accessTokenProvider)
throws Exception {
Map<String, String[]> map = new HashMap<>();
AccessTokenRequest tokenRequest = new DefaultAccessTokenRequest(map);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(oAuth2Resource,
new DefaultOAuth2ClientContext(tokenRequest));
restTemplate.setRequestFactory(clientHttpRequestFactory);
restTemplate.setAccessTokenProvider(accessTokenProvider);
return restTemplate;
}
@Bean
public AccessTokenProvider accessTokenProvider(ClientHttpRequestFactory clientHttpRequestFactory,
OAuth2ProtectedResourceDetails oAuth2Resource) throws Exception {
ResourceOwnerPasswordAccessTokenProvider accessTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
accessTokenProvider.supportsRefresh(oAuth2Resource);
accessTokenProvider.setRequestFactory(clientHttpRequestFactory);
return new AccessTokenProviderChain(Arrays.<AccessTokenProvider>asList(accessTokenProvider));
}
@Bean
@Qualifier("oAuth2Resource")
public OAuth2ProtectedResourceDetails oAuth2Resource() {
ResourceOwnerPasswordResourceDetails oAuth2Resource = new ResourceOwnerPasswordResourceDetails();
oAuth2Resource.setId("MY_ID");
oAuth2Resource.setAccessTokenUri("TOKEN_URL");
oAuth2Resource.setClientId("TOKEN_CLIENTID");
oAuth2Resource.setClientSecret("TOKEN_CLIENT_SECRET");
oAuth2Resource.setScope(new ArrayList<String>(Arrays.asList(new String[]{"read"})));
oAuth2Resource.setUsername("TOKEN_USERNAME");
oAuth2Resource.setPassword("TOKEN_PAZZWORD");
oAuth2Resource.setTokenName("access_token");
oAuth2Resource.setGrantType("password");
return oAuth2Resource;
}
}
这适用于新的令牌请求,但现在我希望能够编写用于实现 refresh_token 的逻辑 . 理想情况下,我希望在令牌到期时间之前存储令牌,并且一旦令牌到期达到其到期时间的大约90%,刷新令牌逻辑将运行到认证服务器以刷新令牌 . 刷新令牌逻辑将始终在后台运行 . 我的问题是如何使用spring-security-oauth2库实现这个逻辑?这个逻辑是否已在库中实现,还是我必须自己手动编写逻辑?
1 回答
这不是根据oauth RFC .
https://tools.ietf.org/html/rfc6749#section-1.5
仅当客户端从资源服务器收到前一个令牌无效的错误时,刷新令牌用于获取新令牌 . 请查看上述链接中的步骤E到G.
Spring oauth2.0按照oauth支持流程 . 这是我发现的blog post .