我想在我的网络服务中使用OAuth2验证Android应用程序。经过一些研究,我知道我应该使用/ oauth / authorize端点,它给我隐式认证。但是,在重定向到登录页面并成功登录后,服务器最终返回访问令牌。过期后,用户必须再次登录。这是我的场景中的一个问题,我想获得刷新令牌以便能够使用它,以便在旧版本过期时获取访问令牌。使用spring OAuth2可以实现这种情况吗?
答案 0 :(得分:1)
In your AuthorizationServerConfiguration you should have a TokenServices bean that is implemented by DefaultTokenServices.
defaultTokenServices.setSupportRefreshToken(true); // enable refresh tokens
Then in your client configuration, be sure to set support for refresh tokens.
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("trusted-app")
.authorizedGrantTypes("password", "refresh_token")
.authorities("ROLE_TRUSTED_CLIENT")
.scopes("read", "write")
.resourceIds(resourceId)
.accessTokenValiditySeconds(accessTokenValiditySeconds)
.refreshTokenValiditySeconds(refreshTokenValiditySeconds)
.secret("secret");
}
When you request make a request to the token endpoint, it should include a refresh token.
/oauth/token?grant_type=password&username="+username+"&password="+password
This should get you a new access token
/oauth/token?grant_type=refresh_token&client_id=trusted-app&refresh_token="+refreshToken