Spring Oauth2客户端,自动刷新过期的访问令牌

问题描述 投票:1回答:1

让我解释一下我的用例。

我需要一个spring boot oauth2客户端应用程序(不是资源服务器,因为我们已经有一个单独的资源服务器)。我也有以下要求:

  1. 对于向资源服务器发送的每个请求,我们都需要发送id_token。 (通过自定义resttemplate完成)。

  2. 对于任何请求,无论它是否调用资源服务器,如果访问令牌都已过期,我的应用程序必须自动刷新它(没有任何用户干预,如弹出窗口或重定向。)

  3. 如果refresh_token也过期,则必须注销用户。

问题:

对于第2点和第3点,我花了很多时间阅读文档和代码以及Stack Overflow,但是找不到解决方案(或者不理解)。因此,我决定将在许多博客和文档中发现的所有内容放在一起,并提出解决方案。下面是我针对第2点的解决方案。

  1. 我们能否请看下面的代码,并建议这种方法是否有问题?

    1. 如何解决第3点,我正在考虑扩展第2点的解决方案,但不确定我需要编写什么代码,有人可以指导我吗?
    2. /**
 * 
 * @author agam
 *
 */
@Component
public class ExpiredTokenFilter extends OncePerRequestFilter {

    private static final Logger log = LoggerFactory.getLogger(ExpiredTokenFilter.class);

    private Duration accessTokenExpiresSkew = Duration.ofMillis(1000);

    private Clock clock = Clock.systemUTC();

    @Autowired
    private OAuth2AuthorizedClientService oAuth2AuthorizedClientService;

    @Autowired
    CustomOidcUserService userService;

    private DefaultRefreshTokenTokenResponseClient accessTokenResponseClient;

    private JwtDecoderFactory<ClientRegistration> jwtDecoderFactory;

    private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";

    public ExpiredTokenFilter() {
        super();
        this.accessTokenResponseClient = new DefaultRefreshTokenTokenResponseClient();
        this.jwtDecoderFactory = new OidcIdTokenDecoderFactory();
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        log.debug("my custom filter called ");
        /**
         * check if authentication is done.
         */
        if (null != SecurityContextHolder.getContext().getAuthentication()) {
            OAuth2AuthenticationToken currentUser = (OAuth2AuthenticationToken) SecurityContextHolder.getContext()
                    .getAuthentication();
            OAuth2AuthorizedClient authorizedClient = this.oAuth2AuthorizedClientService
                    .loadAuthorizedClient(currentUser.getAuthorizedClientRegistrationId(), currentUser.getName());
            /**
             * Check if token existing token is expired.
             */
            if (isExpired(authorizedClient.getAccessToken())) {

                /*
                 * do something to get new access token
                 */
                log.debug(
                        "=========================== Token Expired !! going to refresh ================================================");
                ClientRegistration clientRegistration = authorizedClient.getClientRegistration();
                /*
                 * Call Auth server token endpoint to refresh token. 
                 */
                OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest = new OAuth2RefreshTokenGrantRequest(
                        clientRegistration, authorizedClient.getAccessToken(), authorizedClient.getRefreshToken());
                OAuth2AccessTokenResponse accessTokenResponse = this.accessTokenResponseClient
                        .getTokenResponse(refreshTokenGrantRequest);
                /*
                 * Convert id_token to OidcToken.
                 */
                OidcIdToken idToken = createOidcToken(clientRegistration, accessTokenResponse);
                /*
                 * Since I have already implemented a custom OidcUserService, reuse existing
                 * code to get new user. 
                 */
                OidcUser oidcUser = this.userService.loadUser(new OidcUserRequest(clientRegistration,
                        accessTokenResponse.getAccessToken(), idToken, accessTokenResponse.getAdditionalParameters()));

                log.debug(
                        "=========================== Token Refresh Done !! ================================================");
                /*
                 * Print old and new id_token, just in case.
                 */
                DefaultOidcUser user = (DefaultOidcUser) currentUser.getPrincipal();
                log.debug("new id token is " + oidcUser.getIdToken().getTokenValue());
                log.debug("old id token was " + user.getIdToken().getTokenValue());
                /*
                 * Create new authentication(OAuth2AuthenticationToken).
                 */
                OAuth2AuthenticationToken updatedUser = new OAuth2AuthenticationToken(oidcUser,
                        oidcUser.getAuthorities(), currentUser.getAuthorizedClientRegistrationId());
                /*
                 * Update access_token and refresh_token by saving new authorized client.
                 */
                OAuth2AuthorizedClient updatedAuthorizedClient = new OAuth2AuthorizedClient(clientRegistration,
                        currentUser.getName(), accessTokenResponse.getAccessToken(),
                        accessTokenResponse.getRefreshToken());
                this.oAuth2AuthorizedClientService.saveAuthorizedClient(updatedAuthorizedClient, updatedUser);
                /*
                 * Set new authentication in SecurityContextHolder.
                 */
                SecurityContextHolder.getContext().setAuthentication(updatedUser);
            }

        }
        filterChain.doFilter(request, response);
    }

    private Boolean isExpired(OAuth2AccessToken oAuth2AccessToken) {
        Instant now = this.clock.instant();
        Instant expiresAt = oAuth2AccessToken.getExpiresAt();
        return now.isAfter(expiresAt.minus(this.accessTokenExpiresSkew));
    }

    private OidcIdToken createOidcToken(ClientRegistration clientRegistration,
            OAuth2AccessTokenResponse accessTokenResponse) {
        JwtDecoder jwtDecoder = this.jwtDecoderFactory.createDecoder(clientRegistration);
        Jwt jwt;
        try {
            jwt = jwtDecoder
                    .decode((String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN));
        } catch (JwtException ex) {
            OAuth2Error invalidIdTokenError = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, ex.getMessage(), null);
            throw new OAuth2AuthenticationException(invalidIdTokenError, invalidIdTokenError.toString(), ex);
        }
        OidcIdToken idToken = new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(),
                jwt.getClaims());
        return idToken;
    }
}

我愿意提出任何改进我的代码的建议。谢谢。

让我解释一下我的用例。我需要一个spring boot oauth2客户端应用程序(不是资源服务器,因为我们已经有一个单独的资源服务器)。我也有以下要求:对于每个...

spring-security oauth-2.0 spring-security-oauth2 spring-oauth2
1个回答
0
投票

没有足够的详细信息来完全理解您的用例。很高兴理解:

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.