使用 Spring Security OAuth2 刷新令牌为空

Question

我正在尝试使用 Spring Security 集成 Google OAuth 2。一切正常，但 refresh_token 为空。

这是我的配置：

@Bean
public OAuth2ProtectedResourceDetails googleOAuth2Details() {
    AuthorizationCodeResourceDetails googleOAuth2Details = new AuthorizationCodeResourceDetails();
    googleOAuth2Details.setAuthenticationScheme(form);
    googleOAuth2Details.setClientAuthenticationScheme(form);
    googleOAuth2Details.setClientId(googleClientId);
    googleOAuth2Details.setClientSecret(googleClientSecret);
    googleOAuth2Details.setUserAuthorizationUri(googleOAuthUri);
    googleOAuth2Details.setAccessTokenUri(googleTokenUrl);
    googleOAuth2Details.setScope(asList("openid","email"));
    return googleOAuth2Details;
}

我读到为了获得 refresh_token，access_type 必须是“离线”。但是在 Spring 中如何设置呢？

Answer 1

试试这个：你可以给googleOAuthUri添加参数“hard-configured”，所以：

googleOAuthUri = googleOAuthUri + "?access_type=offline";
googleOAuth2Details.setUserAuthorizationUri(googleOAuthUri);

希望 Spring 在添加其他参数时做正确的事情。

另外请注意，refresh_token 仅在用户第一次授予您的客户端访问权限时返回。后续的授权请求不会产生新的refresh_token，因为假定您的客户端已经存储了第一个请求的那个。

Answer 2

恐怕'access_type'参数不在OAUTH2 Authorization (RFC 6749)的范围内，Spring默认没有，所以需要手动添加。不幸的是，我现在没有正确的方法，但我认为 'OAuth2RestTemplate#getAccessToken' 是开始调查的好地方。

this post 也可能对你有用。

Answer 3

您可以创建OAuth2AuthorizationRequestResolver 的自定义实现并添加additionalParameters(..) 和"access_type"="offline"，如Spring security documentation 所述。

@EnableWebSecurity
public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
    private final ClientRegistrationRepository clientRegistrationRepository;

    public OAuth2LoginSecurityConfig(ClientRegistrationRepository clientRegistrationRepository) {
        this.clientRegistrationRepository = clientRegistrationRepository;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .oauth2Login()
                .authorizationEndpoint()
                .authorizationRequestResolver(
                        new CustomAuthorizationRequestResolver(
                                this.clientRegistrationRepository));
    }
}

public class CustomAuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {
    private final OAuth2AuthorizationRequestResolver defaultAuthorizationRequestResolver;

    public CustomAuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository) {
        this.defaultAuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
    }

    @Override
    public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
        final OAuth2AuthorizationRequest authorizationRequest = this.defaultAuthorizationRequestResolver.resolve(request);
        return authorizationRequest != null ? customAuthorizationRequest(authorizationRequest) : null;
    }

    @Override
    public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String clientRegistrationId) {
        final OAuth2AuthorizationRequest authorizationRequest = this.defaultAuthorizationRequestResolver.resolve(request, clientRegistrationId);
        return authorizationRequest != null ? customAuthorizationRequest(authorizationRequest) : null;
    }

    private OAuth2AuthorizationRequest customAuthorizationRequest(OAuth2AuthorizationRequest authorizationRequest) {
        Map<String, Object> additionalParameters = new LinkedHashMap<>(authorizationRequest.getAdditionalParameters());
        additionalParameters.put("access_type", "offline");
        return OAuth2AuthorizationRequest.from(authorizationRequest)
                .additionalParameters(additionalParameters)
                .build();
    }
}