Spring Boot OAuth不会为客户端返回刷新令牌

Question

我有一个我在Spring Boot中开发的API,我刚刚发现它在请求访问令牌时没有返回刷新令牌.

API的响应如下所示;

{
    "access_token": "ed0bdc62-dccf-4f58-933c-e28ad9598843",
    "token_type": "bearer",
    "expires_in": 2589494,
    "scope": "read write"
}

我的配置看起来像这样;

@Configuration
public class OAuth2ServerConfiguration {

    private static final String RESOURCE_ID = "myapi";

    @Autowired
    DataSource dataSource;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Autowired
        TokenStore tokenStore;

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId(RESOURCE_ID)
                    .tokenStore(tokenStore);
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .csrf().disable()
                    .authorizeRequests()
                    .antMatchers("/oauth/**", "/view/**").permitAll()
                    .anyRequest().authenticated();
        }
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
        @Autowired
        private JwtAccessTokenConverter jwtAccessTokenConverter;

        @Autowired
        private DataSource dataSource;

        @Autowired
        private TokenStore tokenStore;

        @Autowired
        private CustomUserDetailsService userDetailsService;

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .tokenStore(tokenStore)
                    .authenticationManager(authenticationManager)
                    .userDetailsService(userDetailsService);
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                    .jdbc(dataSource);
        }
    }

}

我以前有项目设置使用JWT访问令牌,并确实返回刷新令牌,但我必须删除JWT,因为它与使用令牌存储不兼容.

要确认,它会在grant_type =密码时返回刷新令牌,但在设置为"client_credentials"时则不会.

有没有人有任何建议为什么我的配置不返回刷新令牌？

Answer 1

4.3.3.访问令牌响应在RFC 6749(OAuth 2.0已授权框架)说:"刷新令牌不应该被包括在内." 因此,OAuth 2.0授权服务器的大多数实现都不会在Client Credentials流中生成刷新令牌.