英文:
Must Generate same token unless it expired
问题
"spring authorization server" 默认情况下,每个请求生成唯一的令牌。但要求在前一个令牌尚未过期时生成相同的令牌,如果已过期,则必须生成新的令牌。这是否可能?
英文:
As default in spring authorization server it generate unique token each request.
But the requirement is to generate same token if the previous token is still not expired, and if expired must generate new token.
Is this even possible?
RegisteredClient
.withId(UUID.randomUUID().toString())
.clientId("client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.clientSettings(ClientSettings.builder()
.tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
.build())
.tokenSettings(TokenSettings.builder()
.accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED)
.idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
.accessTokenTimeToLive(Duration.ofMinutes(30))
.build())
.scope("read")
.build();
public OAuth2AuthorizationService authorizationService() {
return new InMemoryOAuth2AuthorizationService();
}
答案1
得分: 1
在Spring Authorization Server中,每个请求生成访问令牌是默认行为,与OAuth 2.0规范一致。
但是,如果您有特定要求,希望只要访问令牌未过期就生成相同的令牌,您可以实现自定义解决方案。
以下是一种方法:
-
创建一个自定义实现
OAuth2TokenGenerator接口的类,用于生成和管理访问令牌。您可以扩展Spring Authorization Server提供的现有DefaultOAuth2TokenGenerator类。 -
在您的自定义令牌生成器实现中,重写
generateAccessToken()方法。在这个方法中,检查是否已经有一个有效的(未过期的)访问令牌可用。如果有,返回现有的令牌,而不是生成一个新的。否则,委托给超类(DefaultOAuth2TokenGenerator)生成新的访问令牌。 -
在您的Spring应用程序上下文中将您的自定义令牌生成器配置为
OAuth2TokenGenerator的bean。 -
确保
OAuth2AuthorizationService使用您的自定义令牌生成器,方法是创建一个OAuth2AuthorizationService类型的bean,并返回一个已注入您的自定义令牌生成器的DefaultOAuth2AuthorizationService实例。
当然,请注意,实施这样的自定义逻辑偏离了标准的OAuth 2.0行为,可能会引入安全风险或违反协议的原则。
英文:
In Spring Authorization Server, the generation of access token for each request is the default behavior and aligns with the OAuth 2.0 specification.
However, if you have a specific requirement to generate the same token as long as it's not expired, you can implement a custom solution.
Here's one approach:
-
Create a custom implementation of
OAuth2TokenGeneratorinterface to generate and manage access tokens. You can extend the existingDefaultOAuth2TokenGeneratorclass provided by Spring Authorization Server. -
Override the
generateAccessToken()method in your custom token generator implementation. Within this method, check if there is a valid (not expired) access token already available. If so, return the existing token instead of generating a new one. Otherwise, delegate to the superclass (DefaultOAuth2TokenGenerator) to generate a new access token. -
Configure your custom token generator as the bean for
OAuth2TokenGeneratorin your Spring application context. -
Ensure that the
OAuth2AuthorizationServiceuses your custom token generator by creating a bean of typeOAuth2AuthorizationServiceand returning an instance ofDefaultOAuth2AuthorizationServicewith your custom token generator injected.
Of course note that implementing such custom logic deviates from the standard OAuth 2.0 behavior and maybe introduce security risks or violate the protocol's principles.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论