Spring 5，401 返回后带有 Google 刷新访问令牌的 OAuth2

Question

我有简单的配置应用程序

spring.security.oauth2.client.registration.google.clientId=xyz
spring.security.oauth2.client.registration.google.clientSecret=xyz
spring.security.oauth2.client.registration.google.scope=email,profile,openid,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/spreadsheets

我使用 http://localhost:8080/oauth2/authorization/google 登录并正常保存到谷歌日历。

获取访问令牌如下所示：

private String getAccessToken() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    String accessToken = null;
    if (authentication.getClass().isAssignableFrom(OAuth2AuthenticationToken.class)) {
      OAuth2AuthenticationToken oauthToken = (OAuth2AuthenticationToken) authentication;
      String clientRegistrationId = oauthToken.getAuthorizedClientRegistrationId();
      OAuth2AuthorizedClient client = authorizedClientService.loadAuthorizedClient(
        clientRegistrationId, oauthToken.getName());
      accessToken = client.getAccessToken().getTokenValue();
    }
    return accessToken;
  }

OAuth2AuthorizedClient 包含刷新令牌。

但是 1 小时后访问令牌过期，我不知道如何刷新它。无需重新登录。

https://developers.google.com/calendar/v3/errors#401_invalid_credentials 说

使用长期刷新令牌获取新的访问令牌。

我找到了这个Spring Google OAuth2 With Refresh Token，但对我不起作用。

在 401 之后也有重新登录消息，但它不是用户友好的。

你能帮帮我吗？提前致谢。

Answer 1

感谢 DaImTo 的提示。

我更改了我的凭据用法

    Credential credential = new GoogleCredential().setAccessToken(tokenUtils.getAccessToken());

到

 private Calendar getClient() throws GeneralSecurityException, IOException {
    HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();

    Credential credential = new GoogleCredential.Builder()
      .setJsonFactory(JSON_FACTORY)
      .setTransport(httpTransport)
      .setClientSecrets(clientId, clientSecret)
      .build()
      .setAccessToken(tokenUtils.getAccessToken())
      .setRefreshToken(tokenUtils.getRefreshToken());

    return new Calendar.Builder(httpTransport, JSON_FACTORY, credential)
      .setApplicationName("appname").build();
  }

它有效！

但只有在设置了prompt 的值select_account 或consent 时，应用才会收到刷新令牌。 带值none 或不带prompt 刷新令牌始终为空（access_type=offline）。

这也不友好，因为应用程序用户每次都必须选择谷歌帐户......

你知道一些解决方法吗？

编辑：

public class TokenUtils {

  private final OAuth2AuthorizedClientService authorizedClientService;

  public TokenUtils(OAuth2AuthorizedClientService authorizedClientService) {
    this.authorizedClientService = authorizedClientService;
  }

  public String getAccessToken() {
    OAuth2AuthorizedClient client = getClient();
    return client.getAccessToken().getTokenValue();
  }

  public String getRefreshToken() {
    OAuth2AuthorizedClient client = getClient();
    return client.getRefreshToken().getTokenValue();
  }

  public OAuth2AuthorizedClient getClient() {
    OAuth2AuthenticationToken oauthToken = getOAuthToken();
    return authorizedClientService.loadAuthorizedClient(
      oauthToken.getAuthorizedClientRegistrationId(), oauthToken.getName());
  }

  private OAuth2AuthenticationToken getOAuthToken() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication.getClass().isAssignableFrom(OAuth2AuthenticationToken.class)) {
      return (OAuth2AuthenticationToken) authentication;
    }
    throw new SecurityException("Authentication is not OAuth2AuthenticationToken");
  }
}

编辑 2：

http
      .oauth2Login()
      .successHandler(new RedirectToPrevAuthSuccessHandler())
      .userInfoEndpoint()
      .oidcUserService(addRolesOidcUserService);
      .oidcUserService(addRolesOidcUserService)
      .and()
      .authorizationEndpoint()
      .authorizationRequestResolver(new AddParamsRequestResolver(
        this.clientRegistrationRepository))
    ;

和

public class AddParamsRequestResolver implements OAuth2AuthorizationRequestResolver {

  private final OAuth2AuthorizationRequestResolver defaultAuthorizationRequestResolver;

  public AddParamsRequestResolver(ClientRegistrationRepository clientRegistrationRepository) {
    this.defaultAuthorizationRequestResolver =
      new DefaultOAuth2AuthorizationRequestResolver(
        clientRegistrationRepository,
        OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
  }

  @Override
  public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
    OAuth2AuthorizationRequest authorizationRequest =
      this.defaultAuthorizationRequestResolver.resolve(request);

    if (authorizationRequest != null) {
      return addParams(authorizationRequest);
    }
    return null;
  }

  @Override
  public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId) {
    OAuth2AuthorizationRequest authorizationRequest =
      this.defaultAuthorizationRequestResolver.resolve(
        request, clientRegistrationId);

    if (authorizationRequest != null) {
      return addParams(authorizationRequest);
    }
    return null;
  }

  private OAuth2AuthorizationRequest addParams(
    OAuth2AuthorizationRequest authorizationRequest) {

    Map<String, Object> additionalParameters =
      new LinkedHashMap<>(authorizationRequest.getAdditionalParameters());
    additionalParameters.put("access_type", "offline");
    additionalParameters.put("prompt", "consent");
//    additionalParameters.put("prompt", "select_account");
//    additionalParameters.put("prompt", "login");

    return OAuth2AuthorizationRequest.from(authorizationRequest)
      .additionalParameters(additionalParameters)
      .build();
  }