java - 在客户端 Spring Boot 应用程序上配置自定义 OAuth2AccessToken

标签 java spring-boot spring-security-oauth2

授权服务器通常给你的标准 JSON 格式有一个名为“expires_in”的属性,但现在我正在使用一个授权服务器,它给我一个名为“access_token_expires_in”的属性。因此,即使 access_token 已过期,我的 OAuth2AccessToken 总是将 isExpired 返回为 false,这很有意义,因为它正在尝试读取不存在的“expires_in”属性。来自 OAuth2AccessToken 的 getAdditionalInformation 返回我的“access_token_expires_in”属性值 18000。

我想知道我是否可以告诉 spring 使用“access_token_expires_in”属性作为我的 access_token 的过期值?

我的代码:

@Configuration
class OAuth2RestConfiguration {
    @Bean
    protected OAuth2ProtectedResourceDetails resource() {

        final ClientCredentialsResourceDetails resourceDetails = new ClientCredentialsResourceDetails();
        resourceDetails.setAccessTokenUri("<tokenUri>");
        resourceDetails.setClientId("<clientId>");
        resourceDetails.setClientSecret("<clientSecret>");

        return resourceDetails;
    }

    @Bean
    public OAuth2RestTemplate restTemplate() throws Exception {
        final AccessTokenRequest atr = new DefaultAccessTokenRequest();
        final OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(resource(),
                new DefaultOAuth2ClientContext(atr));

        return oAuth2RestTemplate;
    }
}

授权服务器响应示例:

{
    "refresh_token_expires_in": 0,
    "access_token": "<access_token>",
    "access_token_expires_in": 18000,
    "token_type": "bearer"
}

编辑 1: 作为解决方法,我扩展了 OAuth2RestTemplate 类并覆盖了 getAccessToken 方法:

public class CustomOAuth2RestTemplate extends OAuth2RestTemplate {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomOAuth2RestTemplate.class);

    private OAuth2ClientContext context;
    private Long LAST_RESET = getCurrentTimeSeconds();
    private Long FORCE_EXPIRATION;

    public CustomOAuth2RestTemplate(OAuth2ProtectedResourceDetails resource) {
        super(resource);
        this.context = super.getOAuth2ClientContext();
        this.FORCE_EXPIRATION = 10800L;
    }

    public CustomOAuth2RestTemplate(OAuth2ProtectedResourceDetails resource,
            DefaultOAuth2ClientContext defaultOAuth2ClientContext, Long forceExpiration) {
        super(resource, defaultOAuth2ClientContext);
        this.context = defaultOAuth2ClientContext;
        this.FORCE_EXPIRATION = Objects.requireNonNull(forceExpiration, "Please set expiration!");
    }

    @Override
    public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {

        OAuth2AccessToken accessToken = context.getAccessToken();

        final Long diff = getCurrentTimeSeconds() - LAST_RESET;

        /* 
        Either use a hardcoded variable or use the value stored in
        context.getAccessToken().getAdditionalInformation().
        */
        if (diff > FORCE_EXPIRATION) {
            LOGGER.info("Access token has expired! Generating new one...");
            this.LAST_RESET = getCurrentTimeSeconds();
            context.setAccessToken(null);
            accessToken = acquireAccessToken(context);
        } else {
            accessToken = super.getAccessToken();
        }

        LOGGER.info("Access token: " + context.getAccessToken().getValue());

        return accessToken;
    }

    private Long getCurrentTimeSeconds() {
        return System.currentTimeMillis() / 1000L;
    }

}

现在是 bean :

@Bean
public OAuth2RestTemplate restTemplate() throws Exception {
    final AccessTokenRequest atr = new DefaultAccessTokenRequest();
    final OAuth2RestTemplate oAuth2RestTemplate = new CustomOAuth2RestTemplate(resource(),
            new DefaultOAuth2ClientContext(atr), 10800L); //example: 3h
    oAuth2RestTemplate.setRequestFactory(customRequestFactory());

    return oAuth2RestTemplate;
}

编辑 2: 在我对OAuth2RestTemplate类进行更深入的分析后,需要进行代码重构:

public class CustomOAuth2RestTemplate extends OAuth2RestTemplate {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomOAuth2RestTemplate.class);
    private Long LAST_RESET = getCurrentTimeSeconds();
    private Long FORCE_EXPIRATION;

    public CustomOAuth2RestTemplate(OAuth2ProtectedResourceDetails resource) {
        super(resource);
        this.FORCE_EXPIRATION = 10800L; //3h
    }

    public CustomOAuth2RestTemplate(OAuth2ProtectedResourceDetails resource,
            DefaultOAuth2ClientContext defaultOAuth2ClientContext, Long forceExpiration) {
        super(resource, defaultOAuth2ClientContext);
        this.FORCE_EXPIRATION = Objects.requireNonNull(forceExpiration, "Please set expiration!");
    }

    @Override
    public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {
        final Long diff = getCurrentTimeSeconds() - LAST_RESET;

        /* 
        Either use a hardcoded variable or use the value stored in
        context.getAccessToken().getAdditionalInformation().
        */
        if (diff > FORCE_EXPIRATION) {
            LOGGER.info("Access token has expired! Generating new one...");
            this.LAST_RESET = getCurrentTimeSeconds();
            final OAuth2ClientContext oAuth2ClientContext = getOAuth2ClientContext();
            oAuth2ClientContext.setAccessToken(null);
            return acquireAccessToken(oAuth2ClientContext);
        }
        return super.getAccessToken();
    }

    private Long getCurrentTimeSeconds() {
        return System.currentTimeMillis() / 1000L;
    }

}

最佳答案

您可以通过实现 TokenEnhancer 接口(interface)并重写其方法来添加自定义参数,如下所示:

import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
public class CustomTokenEnhancer implements TokenEnhancer {

    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
        final Map<String, Object> additionalInfo = new HashMap<>();

//      additionalInfo.put("CUSTOM_PARAM1", "CUSTOM_VALUE1");
        additionalInfo.put("username", authentication.getPrincipal());//adding username param


        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
        return accessToken;
    }

}





@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServerConfig extends     
     AuthorizationServerConfigurerAdapter {

@Override
public void configure(final AuthorizationServerEndpointsConfigurer 
 endpoints) throws Exception {
    final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
    tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer()));
    endpoints.tokenStore(tokenStore)                
 .tokenEnhancer(tokenEnhancerChain).authenticationManager(authenticationManager);

}

@Bean
public TokenEnhancer tokenEnhancer() {
    return new CustomTokenEnhancer();
}

希望对您有所帮助!

关于java - 在客户端 Spring Boot 应用程序上配置自定义 OAuth2AccessToken,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47205954/

上一篇:java - 为什么在 equals 中使用的所有字段也应该在 hashcode 中使用?

下一篇:java - 使用 `destroyMethod` 或 `close()` 方法在 bean 返回类型上设置 `shutdown()`

相关文章:

spring-boot - Zuul 网关 - setSendZuulResponse & removeRouteHost

java - 无法将名称 [org.hibernate.spatial.dialect.postgis.PostgisDialect] 解析为策略 [org.hibernate.dialect.Dialect]

java - (无)参数构造函数的最佳方法 - ResponseBody - Spring

java - 是否可以通过 RMI 或其他网络技术远程调用 Swing Listener 的方法?

java - 如何将我的自定义编译器添加到 eclipse 中?

java - 使用 Spring security oauth,使用自定义 OAuth 提供程序,我得到 [authorization_request_not_found],我应该自己处理回调方法吗?

java - 如何使用动态 URL 匹配器配置配置 Spring security Oauth 2.0?

java - 盐渍 SHA 类型中的 Spring LDAP 身份验证错误凭据密码

java - 从 spring-boot 应用程序到 JBoss EAP6 HornetQ 主题的 JMS 连接失败

spring-security - 社交登录,spring-security-oauth2 和 spring-security-jwt?

©2024 IT工具网  联系我们