Spring Boot OAuth 不会为客户端返回刷新令牌 [英] Spring Boot OAuth doesn't return a refresh token for clients

问题描述

我有一个在 Spring Boot 中开发的 API，我刚刚注意到当您请求访问令牌时它没有返回刷新令牌.

I have an API that I've developed in Spring Boot, and I've just noticed that it's not returning a refresh token when you request an access token.

来自 API 的响应如下所示；

The response from the API looks like this;

{
    "access_token": "ed0bdc62-dccf-4f58-933c-e28ad9598843",
    "token_type": "bearer",
    "expires_in": 2589494,
    "scope": "read write"
}

我的配置是这样的；

@Configuration
public class OAuth2ServerConfiguration {

    private static final String RESOURCE_ID = "myapi";

    @Autowired
    DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId(RESOURCE_ID)
                    .tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/oauth/**", "/view/**").permitAll()
                    .anyRequest().authenticated();
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
        @Autowired
        private JwtAccessTokenConverter jwtAccessTokenConverter;

        @Autowired
        private DataSource dataSource;

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .tokenStore(tokenStore)
                    .authenticationManager(authenticationManager)
                    .userDetailsService(userDetailsService);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                    .jdbc(dataSource);
        }
    }

}

我之前将项目设置为使用 JWT 作为访问令牌，并且确实返回了刷新令牌，但是我不得不删除 JWT，因为它与使用令牌存储不兼容.

I previously had the project setup to use JWT for access tokens and that did return a refresh token, however I had to remove JWT as it wasn't compatible with using the token store.

确认，当 grant_type = password 时它返回一个刷新令牌，但当它设置为 'client_credentials' 时不返回.

To confirm, it returns a refresh token when the grant_type = password, but not when it's set to 'client_credentials'.

有人对为什么我的配置不返回刷新令牌有任何建议吗?

Does anyone have any suggestions why my configuration doesn't return a refresh token?

推荐答案

4.3.3.RFC 6749(OAuth 2.0 授权框架)中的访问令牌响应说不应包含刷新令牌." 因此，OAuth 2.0 授权服务器的大多数实现不会在 客户端凭据流程.

4.3.3. Access Token Response in RFC 6749 (The OAuth 2.0 Authorization Framework) says "A refresh token SHOULD NOT be included." Therefore, most implementations of OAuth 2.0 authorization servers do not generate a refresh token in Client Credentials flow.

这篇关于Spring Boot OAuth 不会为客户端返回刷新令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！