必须生成相同的令牌,除非它已过期。

huangapple
go评论60阅读模式
英文:

Must Generate same token unless it expired

问题

"spring authorization server" 默认情况下,每个请求生成唯一的令牌。但要求在前一个令牌尚未过期时生成相同的令牌,如果已过期,则必须生成新的令牌。这是否可能?

英文:

As default in spring authorization server it generate unique token each request.
But the requirement is to generate same token if the previous token is still not expired, and if expired must generate new token.
Is this even possible?


 RegisteredClient
                .withId(UUID.randomUUID().toString())
                .clientId("client")
                .clientSecret("{noop}secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                .clientSettings(ClientSettings.builder()
                        .tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
                        .build())
                .tokenSettings(TokenSettings.builder()
                        .accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED)
                        .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
                        .accessTokenTimeToLive(Duration.ofMinutes(30))
                        .build())
                .scope("read")
                .build();



public OAuth2AuthorizationService authorizationService() {
        return  new InMemoryOAuth2AuthorizationService();
    }

答案1

得分: 1

在Spring Authorization Server中,每个请求生成访问令牌是默认行为,与OAuth 2.0规范一致。

但是,如果您有特定要求,希望只要访问令牌未过期就生成相同的令牌,您可以实现自定义解决方案。

以下是一种方法:

  1. 创建一个自定义实现OAuth2TokenGenerator接口的类,用于生成和管理访问令牌。您可以扩展Spring Authorization Server提供的现有DefaultOAuth2TokenGenerator类。

  2. 在您的自定义令牌生成器实现中,重写generateAccessToken()方法。在这个方法中,检查是否已经有一个有效的(未过期的)访问令牌可用。如果有,返回现有的令牌,而不是生成一个新的。否则,委托给超类(DefaultOAuth2TokenGenerator)生成新的访问令牌。

  3. 在您的Spring应用程序上下文中将您的自定义令牌生成器配置为OAuth2TokenGenerator的bean。

  4. 确保OAuth2AuthorizationService使用您的自定义令牌生成器,方法是创建一个OAuth2AuthorizationService类型的bean,并返回一个已注入您的自定义令牌生成器的DefaultOAuth2AuthorizationService实例。

当然,请注意,实施这样的自定义逻辑偏离了标准的OAuth 2.0行为,可能会引入安全风险或违反协议的原则。

英文:

In Spring Authorization Server, the generation of access token for each request is the default behavior and aligns with the OAuth 2.0 specification.

However, if you have a specific requirement to generate the same token as long as it's not expired, you can implement a custom solution.

Here's one approach:

  1. Create a custom implementation of OAuth2TokenGenerator interface to generate and manage access tokens. You can extend the existing DefaultOAuth2TokenGenerator class provided by Spring Authorization Server.

  2. Override the generateAccessToken() method in your custom token generator implementation. Within this method, check if there is a valid (not expired) access token already available. If so, return the existing token instead of generating a new one. Otherwise, delegate to the superclass (DefaultOAuth2TokenGenerator) to generate a new access token.

  3. Configure your custom token generator as the bean for OAuth2TokenGenerator in your Spring application context.

  4. Ensure that the OAuth2AuthorizationService uses your custom token generator by creating a bean of type OAuth2AuthorizationService and returning an instance of DefaultOAuth2AuthorizationService with your custom token generator injected.

Of course note that implementing such custom logic deviates from the standard OAuth 2.0 behavior and maybe introduce security risks or violate the protocol's principles.

huangapple
  • 本文由 发表于 2023年7月6日 14:48:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/76626161.html
  • oauth-2.0
  • spring-authorization-server
  • spring-boot
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定