使用spring security oauth有没有办法绕过或使用oauth(bearer)身份验证进行refresh_token操作? 我尝试了很多配置而没有成功。 目前唯一可行的方法是使用基本身份验证。 我认为这很糟糕,因为它会强制客户端存储用户密码以刷新令牌。
<ul class="foot_nav">
<li>Home</li>
<li>Discovery</li>
<li>Subjects</li>
<li>Guide</li>
<li>About us</li>
</ul>
//css
.foot_nav li{//styling}
WebSecurityConfiguration:
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {
@Autowired
private SecurityConfig securityConfig;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private UserDetailsService userDetailsService;
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService);
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter()));
endpoints
.tokenStore(tokenStore()).tokenEnhancer(tokenEnhancerChain)
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService)
.tokenServices(tokenServices());
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
@Bean
protected JwtAccessTokenConverter jwtAccessTokenConverter() {
final KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(
new ClassPathResource(securityConfig.getKeyResource()), securityConfig.getKeyPass().toCharArray());
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setKeyPair(keyStoreKeyFactory.getKeyPair(securityConfig.getKeyAlias()));
return converter;
}
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer)
throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
@Bean
@Primary
public CustomTokenServices tokenServices() {
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter()));
final CustomTokenServices services = new CustomTokenServices();
services.setTokenStore(tokenStore());
services.setTokenEnhancer(tokenEnhancerChain);
services.setSupportRefreshToken(true);
services.setClientDetailsService(clientDetailsService);
addUserDetailsService(services, userDetailsService);
return services;
}
private void addUserDetailsService(final DefaultTokenServices tokenServices, final UserDetailsService userDetailsService) {
if (userDetailsService != null) {
final PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
userDetailsService));
tokenServices
.setAuthenticationManager(new ProviderManager(Arrays.<AuthenticationProvider>asList(provider)));
}
}
}
答案 0 :(得分:0)
不,如果没有有效的客户端凭据,则无法刷新访问令牌。
RFC 6749第1.5节说:
(G)客户端通过身份验证请求新的访问令牌 授权服务器并呈现刷新令牌。 [...]
从安全和标准兼容的角度来看,不建议在您的应用程序中采用这种方法。
我认为这很糟糕,因为它会强制客户端存储用户密码以刷新令牌。
你永远不应该这样做。您没有提到您的应用程序设置,但我认为您的应用程序缺少一些基础设施代码以符合 OAuth2标准。
考虑使用Spring Cloud Security。它为您提供免费的资源服务器之间的令牌中继,您不必担心刷新访问令牌。
在spring.io上看一下这个tutorial。