2017-07-14 272 views
0

我正在創建一個spring-boot-oauth2項目,我想撤銷客戶端的訪問令牌。以下是我的Oauth2配置。JwtTokenStore.findTokensByClientId(clientId)總是返回空

@Configuration 
@EnableAuthorizationServer 
public class OAuth2AuthorizationConfig extends AuthorizationServerConfigurerAdapter { 

    @Autowired 
    private AuthenticationManager authenticationManager; 

    @Autowired 
    private ClientDetailsService clientDetailsService; 

    @Bean 
    public JwtTokenStore tokenStore() { 
     JwtTokenStore store = new JwtTokenStore(jwtAccessTokenConverter()); 
     return store; 
    } 

    @Bean 
    public TokenEnhancerChain tokenEnhancerChain() { 
     final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain(); 
     tokenEnhancerChain.setTokenEnhancers(Arrays.asList(new CustomTokenEnhancer(), jwtAccessTokenConverter())); 
     return tokenEnhancerChain; 
    } 

    @Bean 
    @Primary 
    public AuthorizationServerTokenServices tokenServices() { 
     DefaultTokenServices tokenServices = new DefaultTokenServices(); 
     tokenServices.setTokenStore(tokenStore()); 
     tokenServices.setTokenEnhancer(tokenEnhancerChain()); 
     tokenServices.setClientDetailsService(clientDetailsService); 
     tokenServices.setSupportRefreshToken(true); 
     return tokenServices; 
    } 

    @Bean 
    public JwtAccessTokenConverter jwtAccessTokenConverter() { 
     JwtAccessTokenConverter converter = new CustomTokenEnhancer(); 
     KeyPair keyPair = new KeyStoreKeyFactory(new ClassPathResource("keystore.jks"), "secret".toCharArray()).getKeyPair("myapp-authkey"); 
     converter.setKeyPair(keyPair); 
     return converter; 
    } 

    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     // @formatter:off 
     // register for backend application 
     clients.inMemory() 
      .withClient("myclient-backend") 
      .secret("secret") 
      .authorizedGrantTypes(
      "password","authorization_code", "refresh_token") 
      .authorities("ROLE_TRUSTED_CLIENT") 
      .scopes("read", "write", "update", "delete") 
      .accessTokenValiditySeconds(1800) //Access token is only valid for 30 mins. 
      .refreshTokenValiditySeconds(60 * 60 * 1) //Refresh token is only valid for 1 hour. 
      .autoApprove(true)  
      ;  
    // @formatter:on 
    } 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
     // @formatter:off 
      endpoints.tokenServices(tokenServices()) 
      .tokenStore(tokenStore()) 
      .authenticationManager(authenticationManager) 
      .accessTokenConverter(jwtAccessTokenConverter()); 
     // @formatter:on 
    } 

    @Override 
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { 
     // @formatter:off 
     oauthServer.tokenKeyAccess("isAnonymous() || isRememberMe() || hasAuthority('ROLE_TRUSTED_CLIENT')") 
      .checkTokenAccess("isAuthenticated() and hasAuthority('ROLE_TRUSTED_CLIENT')") 
      .realm("mysecurityRealm"); 
     // @formatter:on 
    } 

} 

當我試圖從tokenStore用的clientId如下代碼獲取訪問令牌

@Autowired 
private JwtTokenStore tokenStore; 
@Autowired 
private ConsumerTokenServices consumerTokenServices; 

@RequestMapping(value = "/invalidateTokens", method = RequestMethod.POST) 
public @ResponseBody Map<String, String> revokeAccessToken(@RequestParam(name = "access_token") String accessToken) { 
    logger.info("Invalidating access token ==> " + accessToken); 
    String clientId = "myclient-backend"; 
    List<String> tokenValues = new ArrayList<String>(); 
    Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByClientId(clientId); 
    logger.debug("Listing all active tokens for clientId '" + clientId + "'" + tokens); 
    if (tokens != null) { 
     for (OAuth2AccessToken token : tokens) { 
      logger.info("==> " + token.getValue()); 
      tokenValues.add(token.getValue()); 
     } 
    } 
    consumerTokenServices.revokeToken(accessToken); 

    OAuth2AccessToken oAuth2AccessToken = tokenStore.readAccessToken(accessToken); 
    if (oAuth2AccessToken != null) { 
     tokenStore.removeAccessToken(oAuth2AccessToken); 
    } 
    Map<String, String> ret = new HashMap<>(); 
    ret.put("removed_access_token", accessToken); 
    return ret; 
} 

它總是輸出空數組作爲

Listing all active tokens for clientId 'myclient-backend'[] 

我缺少什麼配置?

回答

0

對不起...我應該配置TokenStore簡單的方式,它是在內存存儲足夠好..

@Bean 
public TokenStore tokenStore() { 
    return new InMemoryTokenStore(); 
}