Question

使用spring security oauth有没有办法绕过或使用oauth（bearer）身份验证进行refresh_token操作？我尝试了很多配置而没有成功。目前唯一可行的方法是使用基本身份验证。我认为这很糟糕，因为它会强制客户端存储用户密码以刷新令牌。

<ul class="foot_nav">
  <li>Home</li>
  <li>Discovery</li>
  <li>Subjects</li>
  <li>Guide</li>
  <li>About us</li>
</ul>

//css
.foot_nav li{//styling}

WebSecurityConfiguration：

public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private SecurityConfig securityConfig;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private ClientDetailsService clientDetailsService;

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    public void configure(final ClientDetailsServiceConfigurer clients) throws Exception {
        clients.withClientDetails(clientDetailsService);
    }

    @Override
    public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
        tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter()));

        endpoints
            .tokenStore(tokenStore()).tokenEnhancer(tokenEnhancerChain)
            .authenticationManager(authenticationManager)
            .userDetailsService(userDetailsService)
            .tokenServices(tokenServices());
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(jwtAccessTokenConverter());
    }

    @Bean
    protected JwtAccessTokenConverter jwtAccessTokenConverter() {
        final KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(
            new ClassPathResource(securityConfig.getKeyResource()), securityConfig.getKeyPass().toCharArray());
        final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setKeyPair(keyStoreKeyFactory.getKeyPair(securityConfig.getKeyAlias()));
        return converter;
    }

    @Override
    public void configure(final AuthorizationServerSecurityConfigurer oauthServer)
        throws Exception {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
    }

    @Bean
    public TokenEnhancer tokenEnhancer() {
        return new CustomTokenEnhancer();
    }

    @Bean
    @Primary
    public CustomTokenServices tokenServices() {
        final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
        tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), jwtAccessTokenConverter()));

        final CustomTokenServices services = new CustomTokenServices();
        services.setTokenStore(tokenStore());
        services.setTokenEnhancer(tokenEnhancerChain);
        services.setSupportRefreshToken(true);
        services.setClientDetailsService(clientDetailsService);
        addUserDetailsService(services, userDetailsService);
        return services;
    }

    private void addUserDetailsService(final DefaultTokenServices tokenServices, final UserDetailsService userDetailsService) {
        if (userDetailsService != null) {
            final PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
            provider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
                userDetailsService));
            tokenServices
                .setAuthenticationManager(new ProviderManager(Arrays.<AuthenticationProvider>asList(provider)));
        }
    }

}

Answer 1

不，如果没有有效的客户端凭据，则无法刷新访问令牌。

RFC 6749第1.5节说：

（G）客户端通过身份验证请求新的访问令牌授权服务器并呈现刷新令牌。 [...]

从安全和标准兼容的角度来看，不建议在您的应用程序中采用这种方法。

我认为这很糟糕，因为它会强制客户端存储用户密码以刷新令牌。

你永远不应该这样做。您没有提到您的应用程序设置，但我认为您的应用程序缺少一些基础设施代码以符合 OAuth2标准。

考虑使用Spring Cloud Security。它为您提供免费的资源服务器之间的令牌中继，您不必担心刷新访问令牌。

在spring.io上看一下这个tutorial。

授予类型refresh_token而不进行基本身份验证

1 个答案: