刷新令牌不會在彈簧的oauth /令牌響應中返回

Question

我正嘗試使用彈簧引導和彈簧安全來創建Rest API。下面 的是代碼變化我已經用於獲取授權令牌作出的細節： -

1] AuthorizationServerConfig

@Configuration 
@EnableAuthorizationServer 
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { 



    @Autowired 
    private AuthenticationManager authenticationManager; 

    @Autowired 
    private TokenStore tokenStore; 

    @Autowired 
    private UserApprovalHandler userApprovalHandler; 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
     endpoints.tokenStore(tokenStore).userApprovalHandler(userApprovalHandler) 
     .authenticationManager(authenticationManager); 
    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     clients.inMemory().withClient("my-trusted-client") 
       .authorizedGrantTypes("client_credentials", "password", "refresh_token") 
       .authorities("ROLE_CLIENT").scopes("read","write","trust") 
       .secret("secret") 
       .accessTokenValiditySeconds(5000) 
       .refreshTokenValiditySeconds(6000).autoApprove(true); 
    } 

    @Override 
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { 
     security.checkTokenAccess("isAuthenticated()"); 
    } 
    @Override 
    @Bean 
    public AuthenticationManager authenticationManagerBean() throws Exception { 
     return super.authenticationManagerBean(); 
    } 


    @Bean 
    public TokenStore tokenStore() { 
     return new InMemoryTokenStore(); 
    } 

    @Bean 
    @Autowired 
    public TokenStoreUserApprovalHandler userApprovalHandler(TokenStore tokenStore){ 
     TokenStoreUserApprovalHandler handler = new TokenStoreUserApprovalHandler(); 
     handler.setTokenStore(tokenStore); 
     handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService)); 
     handler.setClientDetailsService(clientDetailsService); 
     return handler; 
    } 

    @Bean 
    @Autowired 
    public ApprovalStore approvalStore(TokenStore tokenStore) throws Exception { 
     TokenApprovalStore store = new TokenApprovalStore(); 
     store.setTokenStore(tokenStore); 
     return store; 
    } 

} 

2] ResourceServerConfig

@Configuration 
@EnableResourceServer 
public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 

    private static final String RESOURCE_ID = "my_rest_api"; 

    @Override 
    public void configure(ResourceServerSecurityConfigurer resources) { 
     resources.resourceId(RESOURCE_ID).stateless(false); 
    } 

    @Override 
    public void configure(HttpSecurity http) throws Exception { 
     http.headers().frameOptions().disable().and() 
       .authorizeRequests() 
       .antMatchers("/register").permitAll() 
       .antMatchers("/ex/**").authenticated(); 
    } 


} 

3] MethodSecurityConfig

@Configuration 
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true) 
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { 
    @SuppressWarnings("unused") 
    @Autowired 
    private OAuth2SecurityConfiguration securityConfig; 

    @Override 
    protected MethodSecurityExpressionHandler createExpressionHandler() { 
     return new OAuth2MethodSecurityExpressionHandler(); 
    } 
} 

當我通過pos提出請求時TMAN以下響應返回： -

申請網址： - 收到

http://localhost:8090/oauth/token?grant_type=client_credentials&username=sr7&password=aA$gm12 

響應： -

{ 
    "access_token": "6e55f38f-4aad-4e84-97d2-24b30d39bf5e", 
    "token_type": "bearer", 
    "expires_in": 4999, 
    "scope": "read write trust" 
} 

請幫我找出我在做什麼錯在這裏被阻止我從獲取刷新令牌和響應。

在此先感謝。

Answer 1

As per the specification您通常（不應使用規範術語）在「客戶端憑據」授予類型的情況下沒有刷新令牌。引用this answer by @chenrui：

client_credentials OAuth向服務器授予對機器對機器驗證的需求，因此不需要刷新令牌。

至於結果，在春季安全的OAuth的ClientCredentialsAccessTokenProvider，supportsRefresh回報false和refreshToken方法返回null。

在'客戶端憑證'裸露客戶端憑證用於獲取訪問令牌。

推薦閱讀：

• About OAuth2 grants
• Spring Security and OAuth2 official guide
• Spring Security and OAuth2 (Gigsterous blog)