我正在创建一个spring-boot-oauth2项目,我想撤销客户端的访问令牌。以下是我对Oauth2的配置。
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private ClientDetailsService clientDetailsService;
@Bean
public JwtTokenStore tokenStore() {
JwtTokenStore store = new JwtTokenStore(jwtAccessTokenConverter());
return store;
}
@Bean
public TokenEnhancerChain tokenEnhancerChain() {
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(new CustomTokenEnhancer(), jwtAccessTokenConverter()));
return tokenEnhancerChain;
}
@Bean
@Primary
public AuthorizationServerTokenServices tokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore());
tokenServices.setTokenEnhancer(tokenEnhancerChain());
tokenServices.setClientDetailsService(clientDetailsService);
tokenServices.setSupportRefreshToken(true);
return tokenServices;
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter converter = new CustomTokenEnhancer();
KeyPair keyPair = new KeyStoreKeyFactory(new ClassPathResource("keystore.jks"), "secret".toCharArray()).getKeyPair("myapp-authkey");
converter.setKeyPair(keyPair);
return converter;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// @formatter:off
// register for backend application
clients.inMemory()
.withClient("myclient-backend")
.secret("secret")
.authorizedGrantTypes(
"password","authorization_code", "refresh_token")
.authorities("ROLE_TRUSTED_CLIENT")
.scopes("read", "write", "update", "delete")
.accessTokenValiditySeconds(1800) //Access token is only valid for 30 mins.
.refreshTokenValiditySeconds(60 * 60 * 1) //Refresh token is only valid for 1 hour.
.autoApprove(true)
;
// @formatter:on
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// @formatter:off
endpoints.tokenServices(tokenServices())
.tokenStore(tokenStore())
.authenticationManager(authenticationManager)
.accessTokenConverter(jwtAccessTokenConverter());
// @formatter:on
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
// @formatter:off
oauthServer.tokenKeyAccess("isAnonymous() || isRememberMe() || hasAuthority('ROLE_TRUSTED_CLIENT')")
.checkTokenAccess("isAuthenticated() and hasAuthority('ROLE_TRUSTED_CLIENT')")
.realm("mysecurityRealm");
// @formatter:on
}
}
当我尝试使用clientId从tokenStore获取访问令牌时,如下面的代码
@Autowired
private JwtTokenStore tokenStore;
@Autowired
private ConsumerTokenServices consumerTokenServices;
@RequestMapping(value = "/invalidateTokens", method = RequestMethod.POST)
public @ResponseBody Map<String, String> revokeAccessToken(@RequestParam(name = "access_token") String accessToken) {
logger.info("Invalidating access token ==> " + accessToken);
String clientId = "myclient-backend";
List<String> tokenValues = new ArrayList<String>();
Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByClientId(clientId);
logger.debug("Listing all active tokens for clientId '" + clientId + "'" + tokens);
if (tokens != null) {
for (OAuth2AccessToken token : tokens) {
logger.info("==> " + token.getValue());
tokenValues.add(token.getValue());
}
}
consumerTokenServices.revokeToken(accessToken);
OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessToken);
if (oAuth2AccessToken != null) {
tokenStore.removeAccessToken(oAuth2AccessToken);
}
Map<String, String> ret = new HashMap<>();
ret.put("removed_access_token", accessToken);
return ret;
}
它总是将空数组输出为
Listing all active tokens for clientId 'myclient-backend'[]
我缺少什么配置?
答案 0 :(得分:0)
抱歉......我应该以简单的方式配置TokenStore,这对于内存存储来说已经足够了..
@Bean
public TokenStore tokenStore() {
return new InMemoryTokenStore();
}