在 Spring Security OAuth2 的用户名-密码授权中使用刷新令牌请求新的访问令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19655911/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Request new access token using refresh token in username-password grant in Spring Security OAuth2
提问by Pete
We're using the username-password grant to obtain an access token from our auth server. We want to refresh the access token before it expires using the provided refresh token until the user logs out or closes the client app.
我们使用用户名密码授权从我们的身份验证服务器获取访问令牌。我们希望在访问令牌过期之前使用提供的刷新令牌刷新访问令牌,直到用户注销或关闭客户端应用程序。
However I just cannot find any examples of how to issue this refresh token request..
但是,我找不到任何有关如何发出此刷新令牌请求的示例。
To obtain the token we call something like:
为了获得令牌,我们调用如下:
curl -v --data "grant_type=password&username=user&password=pass&client_id=my_client" http://localhost:8080/oauth/token
So to refresh I'd expect the call to look like this:
所以为了刷新我希望调用看起来像这样:
curl -v --data "grant_type=refresh_token&access_token=THE_ACCESS_TOKEN&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token
or maybe
或者可能
curl -v -H "Authorization: Bearer THE_ACCESS_TOKEN" --data "grant_type=refresh_token&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token
But it will just give me a 401..
但它只会给我一个 401..
Oh yeah, maybe I need to add the clientId? I cannot use the client secret, because there is none (see above request to obtain the token). Authentication is done using username and password after all..
哦,是的,也许我需要添加 clientId?我无法使用客户端机密,因为没有(请参阅上面获取令牌的请求)。毕竟,身份验证是使用用户名和密码完成的。
I think we have the server configuration right, so I'll not post it here. If one of my example requests should work and you need to see the important config parts I'll add them.
我认为我们的服务器配置正确,所以我不会在这里发布。如果我的示例请求之一应该有效并且您需要查看重要的配置部分,我将添加它们。
Thanks!
谢谢!
回答by Pete
So as I said, we don't use a client secret, because we cannot have that hanging around in the Javascript client app. And it's not needed anyway, when using the username-password grant. (See the way we request the access token). Indeed I was close to the solution and finally figured it out:
所以正如我所说,我们不使用客户端机密,因为我们不能在 Javascript 客户端应用程序中闲逛。在使用用户名密码授权时,无论如何都不需要它。(请参阅我们请求访问令牌的方式)。事实上,我已经接近解决方案,并终于想通了:
curl -v --data "grant_type=refresh_token&client_id=THE_CLIENT_ID&refresh_token=THE_REFRESH_TOKEN" http://localhost:8080/oauth/token
so no need for the access token or the client secret.
所以不需要访问令牌或客户端密码。
Over all it feels safe enough.
总而言之,它感觉足够安全。
- We don't store any secret on the client app side.
- The users always need a password to log in and can only see their resources.
- We limit the validity of the refresh token to a realistic time like a workday or something so that even if it is compromised the window for an attacker is limited while still allowing the user to conveniently stay connected to the resource server throughout a long session.
- 我们不会在客户端应用程序端存储任何机密。
- 用户总是需要密码才能登录并且只能看到他们的资源。
- 我们将刷新令牌的有效性限制在一个现实的时间,比如工作日或其他时间,这样即使它被破坏,攻击者的窗口也受到限制,同时仍然允许用户在整个长时间会话中方便地保持与资源服务器的连接。
回答by MattSenter
For the password grant_type, a clientId and clientSecret are required. You were close with your third attempt, but you pass the Base64-encoded clientId and clientSecret instead of the Access Token in the Authorization header. This is the proper refresh token request:
对于密码 grant_type,需要 clientId 和 clientSecret。您已经完成了第三次尝试,但是您在授权标头中传递了 Base64 编码的 clientId 和 clientSecret 而不是访问令牌。这是正确的刷新令牌请求:
curl -H "Authorization: Bearer [base64encode(clientId:clientSecret)]" "https://yourdomain.com/oauth/token?grant_type=refresh_token&refresh_token=[yourRefreshToken]"
For a good reference, check this out: http://techblog.hybris.com/2012/06/11/oauth2-resource-owner-password-flow/
如需良好参考,请查看:http: //techblog.hybris.com/2012/06/11/oauth2-resource-owner-password-flow/
