Question

我有一个我在Spring Boot中开发的API，而且我注意到它在您请求访问令牌时没有返回刷新令牌。

API的响应如下所示;

{
    "access_token": "ed0bdc62-dccf-4f58-933c-e28ad9598843",
    "token_type": "bearer",
    "expires_in": 2589494,
    "scope": "read write"
}

我的配置如下所示;

@Configuration
public class OAuth2ServerConfiguration {

    private static final String RESOURCE_ID = "myapi";

    @Autowired
    DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId(RESOURCE_ID)
                    .tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/oauth/**", "/view/**").permitAll()
                    .anyRequest().authenticated();
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
        @Autowired
        private JwtAccessTokenConverter jwtAccessTokenConverter;

        @Autowired
        private DataSource dataSource;

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .tokenStore(tokenStore)
                    .authenticationManager(authenticationManager)
                    .userDetailsService(userDetailsService);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                    .jdbc(dataSource);
        }
    }

}

我以前有过使用JWT访问令牌的项目设置，并确实返回了刷新令牌，但我必须删除JWT，因为它与使用令牌存储不兼容。

要确认，它会在grant_type =密码时返回刷新令牌，但在将其设置为＆＃39; client_credentials＆＃39;时则不会。

有没有人有任何建议为什么我的配置没有返回刷新令牌？

Answer 1

4.3.3. Access Token Response（OAuth 2.0授权框架）中的

RFC 6749说“不应包含刷新令牌。”因此，OAuth 2.0授权服务器的大多数实现都没有在Client Credentials flow生成刷新令牌。

Answer 2

我遇到了同样的问题，然后更改了此方法，添加了REFRESH_TOKEN，然后在响应中得到了refresh_token值。

静态最终字符串REFRESH_TOKEN =“ refresh_token”;

@Override
    public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
            configurer
                .inMemory()
                .withClient(CLIENT_ID)
                .secret(messageDigestPasswordEncoder.encode(CLIENT_SECRET))
                .authorizedGrantTypes(GRANT_TYPE,REFRESH_TOKEN)
                .scopes(SCOPE_READ, SCOPE_WRITE ,TRUST)
                .accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS).
                 refreshTokenValiditySeconds(REFRESH_TOKEN_VALIDITY_SECONDS);
 }

Spring Boot OAuth不会为客户端返回刷新令牌

2 个答案: