为什么OAuth2AccessTokenSupport始终发送POST请求?

时间:2017-01-16 07:56:38

标签: spring-boot spring-security-oauth2

我正在使用Spring Boot + Spring Security OAuth2来使用Restful Oauth2服务。

  

我们的Oauth2服务始终需要HTTP GET但OAuth2AccessTokenSupport始终发送HTTP POST。

结果:

  

导致405(方法不允许);调用错误处理程序

protected OAuth2AccessToken retrieveToken(AccessTokenRequest request, OAuth2ProtectedResourceDetails resource,
        MultiValueMap<String, String> form, HttpHeaders headers) throws OAuth2AccessDeniedException {
    try {
        this.authenticationHandler.authenticateTokenRequest(resource, form, headers);

        this.tokenRequestEnhancer.enhance(request, resource, form, headers);
        AccessTokenRequest copy = request;

        ResponseExtractor delegate = getResponseExtractor();
        ResponseExtractor extractor = new ResponseExtractor(copy, delegate) {
            public OAuth2AccessToken extractData(ClientHttpResponse response) throws IOException {
                if (response.getHeaders().containsKey("Set-Cookie")) {
                    this.val$copy.setCookie(response.getHeaders().getFirst("Set-Cookie"));
                }
                return ((OAuth2AccessToken) this.val$delegate.extractData(response));
            }
        };
        return ((OAuth2AccessToken) getRestTemplate().execute(getAccessTokenUri(resource, form), getHttpMethod(),
                getRequestCallback(resource, form, headers), extractor, form.toSingleValueMap()));
    } catch (OAuth2Exception oe) {
        throw new OAuth2AccessDeniedException("Access token denied.", resource, oe);
    } catch (RestClientException rce) {
        throw new OAuth2AccessDeniedException("Error requesting access token.", resource, rce);
    }
}

<b>protected HttpMethod getHttpMethod() {
    return HttpMethod.POST;
}</b>

protected String getAccessTokenUri(OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form) {
    String accessTokenUri = resource.getAccessTokenUri();

    if (this.logger.isDebugEnabled()) {
        this.logger.debug(new StringBuilder().append("Retrieving token from ").append(accessTokenUri).toString());
    }

    StringBuilder builder = new StringBuilder(accessTokenUri);
    String separator;
    if (getHttpMethod() == HttpMethod.GET) {
        separator = "?";
        if (accessTokenUri.contains("?")) {
            separator = "&";
        }

        for (String key : form.keySet()) {
            builder.append(separator);
            builder.append(new StringBuilder().append(key).append("={").append(key).append("}").toString());
            separator = "&";
        }
    }

    return builder.toString();
}
  

任何人都可以解释为什么OAuth2AccessTokenSupport始终返回POST和   如何发送HTTP GET请求

1 个答案:

答案 0 :(得分:0)

要为令牌端点启用GET请求,您需要在AuthorizationServerConfigurerAdapter中添加以下内容:

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
}

至于为什么只有POST默认情况下:我认为这是由于GET请求可能会发送用户名和密码信息作为请求参数(这肯定是密码授权的情况)。这些可能在Web服务器日志中可见,而POST正文数据则不可见。

事实上,OAuth2的RFC声明客户端在请求访问令牌时必须使用HTTP POST(https://tools.ietf.org/html/rfc6749#section-3.2

相关问题
最新问题