Spring Boot OAuth 2安全性从刷新令牌获取访问令牌(如果已过期)

时间:2018-11-20 06:17:05

标签: spring spring-boot oauth-2.0

我已经实现了Spring boot Oauth 2安全性,它工作正常,但是当我尝试从刷新令牌中获取访问令牌(如果过期)时,会给我一个错误

{
    "error": "unauthorized",
    "error_description": "admin"
}

控制台日志

Handling error: UsernameNotFoundException, admin

以下是我的代码

1.WebSecurityConfigure

@Configuration
@EnableWebSecurity
public class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/").permitAll().antMatchers("/user/getEmployeesList")
            .hasAnyRole("USER").anyRequest().authenticated().and().formLogin()
            .permitAll().and().logout().permitAll();
        http.csrf().disable();
    }

    @Override
    public void configure(AuthenticationManagerBuilder authenticationMgr) throws Exception {
        authenticationMgr.inMemoryAuthentication().withUser("admin").password("admin")
            .authorities("ROLE_USER");
    ;
    }
}

2.AuthorizationServerConfigure

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;


     @Override
        public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
            security
                    .tokenKeyAccess("permitAll()")
                    .checkTokenAccess("isAuthenticated()")
                    .allowFormAuthenticationForClients();
        }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory().withClient("MagicUser").authorizedGrantTypes("authorization_code", "refresh_token","password")
                .authorities("CLIENT").scopes("openid", "read", "write", "trust").resourceIds("oauth2-resource")
                .redirectUris("http://10.9.6.31:8090/showEmployees").accessTokenValiditySeconds(5000).secret("secret")
                .refreshTokenValiditySeconds(50000);

    }
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager)
                .allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);
        ;
    }
}

请帮助我弄清楚这个问题

访问令牌请求(如果已过期)

    http://10.9.6.31:8091/oauth/token
    Body parameter
   grant_type=refresh_token
  refresh_token=78d2ab82-46a2-4b70-a9e8-e3f9e5ddfec6

1 个答案:

答案 0 :(得分:0)

您可能必须在请求中发送授权标头以验证客户端。 在OAuth 2.0规范中检查OAuth client authenticationRefreshing an access token规范。