不是在每个令牌授权调用上都生成JWT访问令牌

时间:2018-12-04 10:19:40

标签: java spring oauth-2.0 jwt spring-security-oauth2

我已经用JWT配置了Oauth2授权项目。当我授权使用客户端凭据时,我将获得访问令牌,如下所示。到期时间为 43199 

{
"access_token":"eyJhbGci........................",
"token_type": "bearer",
"expires_in": 43199,
"scope": "resource-access",
"jti": "45507f3e-2d8c-4dc8-95ce-295bb690cf3a"
}

我没有将令牌存储在任何地方,例如DB或会话等,但是如果我调用相同的授权令牌端点,我将获得相同的访问令牌,同时减少了到期时间。

不确定该令牌的存储位置,我希望每次调用令牌授权端点时都获得一个新令牌。

有人可以帮我吗

我的自定义 AuthorizationServerConfigurerAdapter 类在下面给出

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Value("${scopes}")
    private Boolean checkUserScopes;

    @Autowired
    private DataSource dataSource;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Bean
    public OAuth2RequestFactory requestFactory() {
        CustomOauth2RequestFactory requestFactory = new CustomOauth2RequestFactory(clientDetailsService);
        requestFactory.setCheckUserScopes(true);
        return requestFactory;
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
    }

    @Bean
    public TokenEndpointAuthenticationFilter tokenEndpointAuthenticationFilter() {
        return new TokenEndpointAuthenticationFilter(authenticationManager, requestFactory());
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
        .tokenEnhancer(jwtAccessTokenConverter())
        .authenticationManager(authenticationManager)
        .userDetailsService(userDetailsService);
        if (checkUserScopes) {
            endpoints.requestFactory(requestFactory());
        }
    }

    @Bean
    public JwtAccessTokenConverter jwtAccessTokenConverter() {
        CustomJwtTokenEnhancerConfig tokenEnhancer = new CustomJwtTokenEnhancerConfig();
        tokenEnhancer.setKeyPair(new KeyStoreKeyFactory(new ClassPathResource("myjwt.jks"), "password".toCharArray()).getKeyPair("jwt"));
        return tokenEnhancer;
    }
}

1 个答案:

答案 0 :(得分:0)

JSON Web令牌(JWT)身份验证技术不需要数据库表或数据存储来保留生成的令牌。令牌是使用加密算法生成的。

当您调用登录服务时,将通过使用有效负载和秘密值来生成令牌。如果您的有效载荷相同,则不会获得具有相同秘密值的新令牌值。

您可以参考此链接以获取有关JWT工作原理的更多信息。 https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec

相关问题
最新问题