Spring OAuth2 不提供刷新令牌

Posted 2023-02-27

【中文标题】Spring OAuth2 不提供刷新令牌

【英文标题】：Spring OAuth2 not giving refresh token

【发布时间】：2015-08-31 07:10:08

【问题描述】：

我正在使用 Spring 和“密码”授权类型运行 OAuth 提供程序。

运行这个（提供程序在端口 8080 上）：

curl -u "app:appclientsecret" "http://localhost:8080/oauth/token" --data "grant_type=password&username=marissa&password=koala"

返回：

"access_token":"56da4d2b-7e66-483e-b88d-c1a58ee5a453","token_type":"bearer","expires_in":43199,"scope":"read"

由于某种原因，没有刷新令牌。我知道根据spec，刷新令牌是可选的；有什么方法可以让我错过吗？

作为参考，这里是我的提供者代码：

@SpringBootApplication
public class Provider 
    public static void main(String... args) 
        System.setProperty("server.port", "8080");

        SpringApplication.run(Provider.class, args);
    

    @Configuration
    @EnableWebSecurity
    static class SecurityConfiguration extends WebSecurityConfigurerAdapter 
        private final UserStoreType type = UserStoreType.IN_MEMORY;

        enum UserStoreType 
            IN_MEMORY,
        

        @Autowired
        public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception 
            switch(type) 
                case IN_MEMORY:
                    System.err.println("Setting up user creds..");

                    auth.inMemoryAuthentication()
                            .withUser("marissa").password("koala").roles("USER")
                            .and()
                            .withUser("admin").password("topsecret").roles("USER", "ADMIN");

                    break;
            
        

        @Override
        protected void configure(HttpSecurity http) throws Exception 
    

    @Configuration
    @EnableAuthorizationServer
    static class OAuthConfig extends AuthorizationServerConfigurerAdapter 
        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception 
            endpoints.tokenStore(new InMemoryTokenStore()).authenticationManager(authenticationManager);
        

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception 
            oauthServer.checkTokenAccess("permitAll()");
        

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception 
            clients.inMemory()
                    .withClient("resource-serv")
                    .scopes("read")
                    .resourceIds("my-resource")
                    .secret("secret123")
                    .and()
                    .withClient("app")
                    .authorizedGrantTypes("client_credentials", "password")
                    .scopes("read")
                    .resourceIds("my-resource")
                    .secret("appclientsecret");
        
    

【参考方案1】：

客户端需要authorizedGrantType "refresh_token"。

试试这个

  @Override
            public void configure(ClientDetailsServiceConfigurer clients) throws Exception 
                clients.inMemory()
                        .withClient("resource-serv")
                        .scopes("read")
                        .resourceIds("my-resource")
                        .secret("secret123")
                        .and()
                        .withClient("app")
                        .authorizedGrantTypes("client_credentials", "password", "refresh_token")
                        .scopes("read")
                        .resourceIds("my-resource")
                        .secret("appclientsecret");
            

【讨论】：

已修复。我只需要将 tokenServices.setSupportRefreshToken(true); 添加到我的令牌服务中。