我已经在OAuth2中为该请求成功实现了对新令牌的请求:
curl --request POST --url https://some-autentication-server.com/token --header 'content-type: content-type'
正文如下:
{
"grant_type"="password",
"username"="username",
"password"="password"
"client_id"="my-client-id"
}
认证后,资源服务器curl可以通过以下方式访问:
curl -i -H "authorization: Bearer token-received-from-auth-server" \
-H "accept: application/json" \
-H "request-id: abcdef" \
-H "consent-status: optedIn" \
-X GET https://my-resource-server.com/path
我在Spring Boot中使用的配置是这样的:
@EnableOAuth2Client
@Configuration
public class OauthClientConfig {
@Bean
public CloseableHttpClient httpClient() throws Exception {
CloseableHttpClient httpClient = null;
try {
httpClient = HttpClientBuilder.create()
.setProxy(new HttpHost("PROXY_HOST_NAME", 3000, "http"))
.build();
} catch (Exception e) {
throw e;
}
return httpClient;
}
@Bean
public ClientHttpRequestFactory clientHttpRequestFactory(CloseableHttpClient httpClient) throws Exception {
ClientHttpRequestFactory clientHttpRequestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory)
.setReadTimeout(10000);
((HttpComponentsClientHttpRequestFactory) clientHttpRequestFactory).setConnectTimeout(10000);
return clientHttpRequestFactory;
}
@Bean
@Qualifier("restTemplate")
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestOperations restTemplate(OAuth2ProtectedResourceDetails oAuth2Resource,
ClientHttpRequestFactory clientHttpRequestFactory, AccessTokenProvider accessTokenProvider)
throws Exception {
Map<String, String[]> map = new HashMap<>();
AccessTokenRequest tokenRequest = new DefaultAccessTokenRequest(map);
OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(oAuth2Resource,
new DefaultOAuth2ClientContext(tokenRequest));
restTemplate.setRequestFactory(clientHttpRequestFactory);
restTemplate.setAccessTokenProvider(accessTokenProvider);
return restTemplate;
}
@Bean
public AccessTokenProvider accessTokenProvider(ClientHttpRequestFactory clientHttpRequestFactory,
OAuth2ProtectedResourceDetails oAuth2Resource) throws Exception {
ResourceOwnerPasswordAccessTokenProvider accessTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
accessTokenProvider.supportsRefresh(oAuth2Resource);
accessTokenProvider.setRequestFactory(clientHttpRequestFactory);
return new AccessTokenProviderChain(Arrays.<AccessTokenProvider>asList(accessTokenProvider));
}
@Bean
@Qualifier("oAuth2Resource")
public OAuth2ProtectedResourceDetails oAuth2Resource() {
ResourceOwnerPasswordResourceDetails oAuth2Resource = new ResourceOwnerPasswordResourceDetails();
oAuth2Resource.setId("MY_ID");
oAuth2Resource.setAccessTokenUri("TOKEN_URL");
oAuth2Resource.setClientId("TOKEN_CLIENTID");
oAuth2Resource.setClientSecret("TOKEN_CLIENT_SECRET");
oAuth2Resource.setScope(new ArrayList<String>(Arrays.asList(new String[]{"read"})));
oAuth2Resource.setUsername("TOKEN_USERNAME");
oAuth2Resource.setPassword("TOKEN_PAZZWORD");
oAuth2Resource.setTokenName("access_token");
oAuth2Resource.setGrantType("password");
return oAuth2Resource;
}
}
这对于新的令牌请求很好用,但是现在我希望能够编写一种逻辑来实现 refresh_token 。理想情况下,我想在令牌到期之前存储令牌,并且一旦令牌到期达到令牌到期时间的大约90%,刷新令牌逻辑就会在身份验证服务器上运行以刷新令牌。刷新令牌逻辑将始终在后台运行。我的问题是如何使用spring-security-oauth2库实现此逻辑?该逻辑是否已在库中实现,还是我必须自己手动编写该逻辑?
答案 0 :(得分:3)
我想在令牌到期之前和 令牌到期时间约为其到期时间的90%,即刷新 令牌逻辑将在身份验证服务器上运行以刷新 令牌。
这不符合oauth RFC的要求。
https://tools.ietf.org/html/rfc6749#section-1.5
仅当客户端从资源服务器收到错误消息,即先前的令牌无效时,刷新令牌才用于获取新的令牌。在上面的链接中查看步骤E至G。
Spring oauth2.0按照oauth支持流程。这是我为此找到的blog post。