2013-08-30 88 views
8

我有一種情況,我想自己創建一個訪問令牌(所以不是通過通常的過程)。我想出了這樣的事情:Spring OAuth2 - 在令牌存儲區中手動創建訪問令牌

@Inject 
private DefaultTokenServices defaultTokenServices; 

... 

OAuth2Authentication auth = xxx; 
OAuth2AccessToken token = defaultTokenServices.createAccessToken(auth); 

唯一的問題是,我不知道如何創建OAuth2Authentication(在我的代碼以XXX的部分)。我有用戶&客戶端信息,我知道哪些機構我想授予此令牌。

+0

我最近真的這樣做,讓我知道如果你仍然需要代碼,因爲這篇文章有點舊。 – Michael

+0

是的。我很感興趣 – checklist

+0

那是你尋找的東西嗎? – Michael

回答

15

在這裏,根據您使用的流程,您的用例可能略有不同。這是密碼授權流程的作用。有像令牌存儲,令牌增強等幾個自定義類。但這實際上只是爲了我們自己的需要而修改的彈簧類的擴展版本。

 HashMap<String, String> authorizationParameters = new HashMap<String, String>(); 
     authorizationParameters.put("scope", "read"); 
     authorizationParameters.put("username", "mobile_client"); 
     authorizationParameters.put("client_id", "mobile-client"); 
     authorizationParameters.put("grant", "password"); 

     DefaultAuthorizationRequest authorizationRequest = new DefaultAuthorizationRequest(authorizationParameters); 
     authorizationRequest.setApproved(true); 

     Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(); 
     authorities.add(new SimpleGrantedAuthority("ROLE_UNTRUSTED_CLIENT")); 
     authorizationRequest.setAuthorities(authorities); 

     HashSet<String> resourceIds = new HashSet<String>(); 
     resourceIds.add("mobile-public"); 
     authorizationRequest.setResourceIds(resourceIds); 

     // Create principal and auth token 
     User userPrincipal = new User(user.getUserID(), "", true, true, true, true, authorities); 

     UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(userPrincipal, null, authorities) ; 

     OAuth2Authentication authenticationRequest = new OAuth2Authentication(authorizationRequest, authenticationToken); 
     authenticationRequest.setAuthenticated(true); 

     CustomTokenStore tokenStore = new CustomTokenStore(); 

     // Token Enhancer 
     CustomTokenEnhancer tokenEnhancer = new CustomTokenEnhancer(user.getUserID()); 

     CustomTokenServices tokenServices = new CustomTokenServices(); 
     tokenServices.setTokenEnhancer(tokenEnhancer); 
     tokenServices.setSupportRefreshToken(true); 
     tokenServices.setTokenStore(tokenStore); 

     OAuth2AccessToken accessToken = tokenServices.createAccessTokenForUser(authenticationRequest, user); 
10

下面是如何使用TokenEndpoint接口(用於公開REST服務)來生成令牌:

@Inject 
private TokenEndpoint tokenEndpoint; 

public ResponseEntity<?> getToken(Principal principal) { 

     HashMap<String, String> parameters = new HashMap<String, String>(); 
     parameters.put("client_id", "appid"); 
     parameters.put("client_secret", "myOAuthSecret"); 
     parameters.put("grant_type", "password"); 
     parameters.put("password", myUser.getPassword()); 
     parameters.put("scope", "read write"); 
     parameters.put("username", myUser.getLogin()); 

     return tokenEndpoint.getAccessToken(principal, parameters); 
} 
4

其他方式,手動生成的OAuth2 Accesss Token我們可以使用的TokenService

實例
@Autowired 
private AuthorizationServerEndpointsConfiguration configuration; 

@Override 
public String generateOAuth2AccessToken(User user, List<Role> roles, List<String> scopes) { 

    Map<String, String> requestParameters = new HashMap<String, String>(); 
    Map<String, Serializable> extensionProperties = new HashMap<String, Serializable>(); 

    boolean approved = true; 
    Set<String> responseTypes = new HashSet<String>(); 
    responseTypes.add("code"); 

    // Authorities 
    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); 
    for(Role role: roles) 
     authorities.add(new SimpleGrantedAuthority("ROLE_" + role.getName())); 

    OAuth2Request oauth2Request = new OAuth2Request(requestParameters, "clientIdTest", authorities, approved, new HashSet<String>(scopes), new HashSet<String>(Arrays.asList("resourceIdTest")), null, responseTypes, extensionProperties); 

    UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user.getUsername(), "N/A", authorities); 

    OAuth2Authentication auth = new OAuth2Authentication(oauth2Request, authenticationToken); 

    AuthorizationServerTokenServices tokenService = configuration.getEndpointsConfigurer().getTokenServices(); 

    OAuth2AccessToken token = tokenService.createAccessToken(auth); 

    return token.getValue(); 
} 
+0

通過這種方法,我們可以使用生成的訪問令牌訪問資源,在訪問令牌到期時,它不會使用刷新令牌發出訪問令牌。它會給予未經授權的客戶端,即使客戶端的詳細信息是正確的 –