春季安全client_credentials grant_type-支持刷新令牌 [英] spring security client_credentials grant_type - support for refresh token
问题描述
client_credentials授予类型是否支持刷新令牌方案?
使用client_credentials授予类型时应如何处理access_token到期?
我在代理服务(Zuul和EnableOAuth2Sso)的后面有一个授权服务和受保护的服务,该代理服务充当来自客户端应用程序的所有请求的网关.
这是我的流程:
- 接受来自客户端应用程序的请求(rest api)的代理服务(zuul)
- 代理服务通过发布
client_id,client_secret和grant_type(client_credentials)调用授权服务api,并从响应中获取access_token,refresh_token和到期时间 - 代理服务根据zuul路由映射将原始请求路由到受保护的服务.
此流程工作正常,但查看ClientCredentialsAccessTokenProvider中的代码,我注意到'supportsRefresh'返回false,'refreshToken'方法返回null.这是否意味着当access_token过期时,从客户端应用程序到代理服务(zuul)的任何后续请求都将失败?
client_credentials OAuth授予服务器需要机器对机器的身份验证,因此无需刷新令牌.
因此,在Spring Security OAuth的 解决方案
client_credentials OAuth grant servers the need of machine-to-machine authentication, so there is no need to refresh the token.
As result, in Spring Security OAuth's ClientCredentialsAccessTokenProvider, supportsRefresh returns false and refreshToken methods returns null.
In fact, your authorization server and resource server are all in same place (which means the token generation is pretty cheap), quite much like our setup. I suggest you can just set a short lifespan (like 10 minutes) for access token, and treat them self-disposable, and get access token every time when you want to touch the secured resource.
这篇关于春季安全client_credentials grant_type-支持刷新令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
