我已使用jwt令牌配置了具有春季安全性oauth的OAuth2授权服务器:
@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
...
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource).passwordEncoder(passwordEncoder);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Bean
public TokenStore tokenStore() {
var jwtTokenStore = new JwtTokenStore(tokenConverter());
jwtTokenStore.setApprovalStore(approvalStore());
return jwtTokenStore;
}
@Bean
public JwtAccessTokenConverter tokenConverter() {
var converter = new JwtAccessTokenConverter();
var keyStoreKeyFactory = new KeyStoreKeyFactory(new ClassPathResource(jwtKeyStore), jwtKeyPass.toCharArray());
converter.setKeyPair(keyStoreKeyFactory.getKeyPair("jwtkey"));
return converter;
}
}
有一个拥有password和refresh_token授权的客户。我可以通过以下请求获取访问权限并刷新令牌:
curl --request POST \
--url 'http://localhost:8080/oauth/token?grant_type=password&scope=read' \
--header 'authorization: Basic <xxxxxxx>' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'username=xxxxxxx&password=xxxxxxx'
响应:
{
"access_token": "<long access token>",
"token_type": "bearer",
"refresh_token": "<long refresh token>",
"expires_in": 599,
"scope": "read",
"subject": "xxx",
"jti": "xxx"
}
但是,当我尝试刷新令牌时,出现错误Invalid refresh token。进一步调试Spring代码我看到在第一个请求上,它没有在oauth_approvals表中插入一行。并且在第二个请求(刷新令牌)时,它认为用户尚未批准范围(尽管我有autoapprove=true)。
implicit或authorization_code授予流不是这种情况:在那种情况下,它确实在oauth_approvals表中插入了一行,并且令牌被成功刷新。
这是Spring OAuth中的错误还是有任何解决方法?
答案 0 :(得分:1)
深入研究Spring的代码后,我得出的结论是,这确实是一个bug。因此,我扩展了JdbcApprovalStore并改用了那个。这是伪代码
public class JdbcApprovalStoreAutoApprove extends JdbcApprovalStore {
...
@Override
public List<Approval> getApprovals(String userName, String clientId) {
if (client has auto approved scopes) {
return those scopes;
}
return super.getApprovals(userName, clientId);
}