在Spring Security OAuth2中使用用户名密码授予中的刷新令牌来请求新的访问令牌 [英] Request new access token using refresh token in username-password grant in Spring Security OAuth2

问题描述

我们正在使用用户名密码授予来从我们的身份验证服务器获取访问令牌。我们希望使用提供的刷新令牌在访问令牌到期之前刷新访问令牌，直到用户注销或关闭客户端应用程序为止。

但是我只是找不到如何发出此刷新令牌请求的示例。

要获取令牌，我们称之为：

  curl -v --data grant_type = password& username = user& password = pass& client_id = my_client http：// localhost：8080 / oauth / token 
  

所以我希望刷新一下调用看起来像这样：

  curl -v --data grant_type = refresh_token& access_token = THE_ACCESS_TOKEN& refresh_token = THE_REFRESH_TOKEN http：// localhost：8080 / oauth / token 
  

或者

  curl -v -H授权：承载THE_ACCESS_TOKEN --data grant_type = refresh_token& refresh_token = THE_REFRESH_TOKEN http：// localhost：8080 / oauth / token 
  

但这只会给我一个401 ..

是的，也许我需要添加clientId？我无法使用客户密码，因为没有密码（请参阅上述获取令牌的请求）。毕竟，身份验证是使用用户名和密码来完成的。

我认为我们拥有服务器配置权限，因此我不会在此处发布。如果我的示例请求之一可以正常工作，并且您需要查看重要的配置部分，我将其添加。

谢谢！

实际上，我已经接近解决方案，并最终弄清楚了：

  curl -v --data grant_type = refresh_token& client_id = THE_CLIENT_ID& refresh_token = THE_REFRESH_TOKEN http：// localhost：8080 / oauth / token 
  

总的来说，这已经足够安全了。

• 我们不会在客户端应用程序端存储任何秘密。


• 用户始终需要密码才能登录，并且只能看到其资源。


• 我们将刷新令牌的有效性限制在一个实际的时间，例如工作日之类，以便即使受到损害，攻击者的窗口也受到限制，同时仍允许用户方便地停留在整个长会话中都连接到资源服务器。

We're using the username-password grant to obtain an access token from our auth server. We want to refresh the access token before it expires using the provided refresh token until the user logs out or closes the client app.

However I just cannot find any examples of how to issue this refresh token request..

To obtain the token we call something like:

curl -v --data "grant_type=password&username=user&password=pass&client_id=my_client" http://localhost:8080/oauth/token

So to refresh I'd expect the call to look like this:

curl -v --data "grant_type=refresh_token&access_token=THE_ACCESS_TOKEN&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token

or maybe

curl -v -H "Authorization: Bearer THE_ACCESS_TOKEN" --data "grant_type=refresh_token&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token

But it will just give me a 401..

Oh yeah, maybe I need to add the clientId? I cannot use the client secret, because there is none (see above request to obtain the token). Authentication is done using username and password after all..

I think we have the server configuration right, so I'll not post it here. If one of my example requests should work and you need to see the important config parts I'll add them.

Thanks!

解决方案

So as I said, we don't use a client secret, because we cannot have that hanging around in the Javascript client app. And it's not needed anyway, when using the username-password grant. (See the way we request the access token). Indeed I was close to the solution and finally figured it out:

curl -v --data "grant_type=refresh_token&client_id=THE_CLIENT_ID&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token

so no need for the access token or the client secret.

Over all it feels safe enough.

• We don't store any secret on the client app side.
• The users always need a password to log in and can only see their resources.
• We limit the validity of the refresh token to a realistic time like a workday or something so that even if it is compromised the window for an attacker is limited while still allowing the user to conveniently stay connected to the resource server throughout a long session.

这篇关于在Spring Security OAuth2中使用用户名密码授予中的刷新令牌来请求新的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！