Spring Security OAuth2 Redis存储token refresh_token永不过期问题解决

Joe.Ye 2023-03-20 Spring Security

OAuth2AccessToken接口的默认实现是DefaultOAuth2AccessToken类(自带过期时间属性)
OAuth2RefreshToken接口的默认实现是DefaultOAuth2RefreshToken类(不带过期时间属性)
ExpiringOAuth2RefreshToken接口父接口是OAuth2RefreshTokenExpiringOAuth2RefreshToken的默认实现是DefaultExpiringOAuth2RefreshToken(自带过期时间属性)

自定义方式生成access_token和refresh_token

/**
 * @Description: 用户自定义token令牌,包括access_token和refresh_token
 * @Package: cn.appblog.security.oauth2.enhancer.UserTokenEnhancer
 * @Version: 1.0
 */
public class UserTokenEnhancer implements TokenEnhancer {
    /**
     * 重新定义令牌token
     */
    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
       if(accessToken instanceof DefaultOAuth2AccessToken){
           DefaultOAuth2AccessToken token = (DefaultOAuth2AccessToken) accessToken;
           token.setValue(getToken());
           OAuth2RefreshToken refreshToken = token.getRefreshToken();
           if(refreshToken instanceof OAuth2RefreshToken){
               token.setRefreshToken(new OAuth2RefreshToken(getToken()));
           }
           Map<String, Object> additionalInformation = Maps.newHashMap();
           additionalInformation.put("client_id", authentication.getOAuth2Request().getClientId());
           //添加额外配置信息
           token.setAdditionalInformation(additionalInformation);
           return token;
       }
        return accessToken;
    }

    /**
     * 生成自定义token
     */
    private String getToken() {
        return StringUtils.join(UUID.randomUUID().toString().replace("-", ""));
    }
}

在实际的测试环境中我可以拿到access_token的过期时间,并且在redis的客户端查看access_token相关键值对都是跟我设置的过期时间是一致的,但是refresh_token设置的过期
时间一直不起作用,TTL显示-1,也就是一直有效,感觉就很奇怪,所以翻看TokenStore的实现类RedisTokenStore

生成access_token键值对的代码如下:

public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
   //序列化相关key
    byte[] serializedAccessToken = this.serialize((Object)token);
    byte[] serializedAuth = this.serialize((Object)authentication);
    byte[] accessKey = this.serializeKey("access:" + token.getValue());
    byte[] authKey = this.serializeKey("auth:" + token.getValue());
    byte[] authToAccessKey = this.serializeKey("auth_to_access:" + this.authenticationKeyGenerator.extractKey(authentication));
    byte[] approvalKey = this.serializeKey("uname_to_access:" + getApprovalKey(authentication));
    byte[] clientId = this.serializeKey("client_id_to_access:" + authentication.getOAuth2Request().getClientId());
    RedisConnection conn = this.getConnection();

    try {
        conn.openPipeline();
        if (springDataRedis_2_0) {
            try {
                //存储键值对
                this.redisConnectionSet_2_0.invoke(conn, accessKey, serializedAccessToken);
                this.redisConnectionSet_2_0.invoke(conn, authKey, serializedAuth);
                this.redisConnectionSet_2_0.invoke(conn, authToAccessKey, serializedAccessToken);
            } catch (Exception var24) {
                throw new RuntimeException(var24);
            }
        } else {
            conn.set(accessKey, serializedAccessToken);
            conn.set(authKey, serializedAuth);
            conn.set(authToAccessKey, serializedAccessToken);
        }

        if (!authentication.isClientOnly()) {
            conn.sAdd(approvalKey, new byte[][]{serializedAccessToken});
        }

        conn.sAdd(clientId, new byte[][]{serializedAccessToken});
        //设置access_token过期时间
        if (token.getExpiration() != null) {
            int seconds = token.getExpiresIn();
            conn.expire(accessKey, (long)seconds);
            conn.expire(authKey, (long)seconds);
            conn.expire(authToAccessKey, (long)seconds);
            conn.expire(clientId, (long)seconds);
            conn.expire(approvalKey, (long)seconds);
        }

        OAuth2RefreshToken refreshToken = token.getRefreshToken();
        if (refreshToken != null && refreshToken.getValue() != null) {
            byte[] refresh = this.serialize(token.getRefreshToken().getValue());
            byte[] auth = this.serialize(token.getValue());
            byte[] refreshToAccessKey = this.serializeKey("refresh_to_access:" + token.getRefreshToken().getValue());
            byte[] accessToRefreshKey = this.serializeKey("access_to_refresh:" + token.getValue());
            if (springDataRedis_2_0) {
                try {
                    this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, auth);
                    this.redisConnectionSet_2_0.invoke(conn, accessToRefreshKey, refresh);
                } catch (Exception var23) {
                    throw new RuntimeException(var23);
                }
            } else {
                conn.set(refreshToAccessKey, auth);
                conn.set(accessToRefreshKey, refresh);
            }
            //判断refresh_token对象是否是ExpiringOAuth2RefreshToken的实例对象,这一段是设置refresh_token的关键,如果是就会进行过期时间
            //设置,否则生成的refresh_token相关的键值对永远有效          
            if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
                ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken)refreshToken;
                Date expiration = expiringRefreshToken.getExpiration();
                if (expiration != null) {
                    int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L).intValue();
                    conn.expire(refreshToAccessKey, (long)seconds);
                    conn.expire(accessToRefreshKey, (long)seconds);
                }
            }
        }

        conn.closePipeline();
    } finally {
        conn.close();
    }
}

上面的refreshToken instanceof ExpiringOAuth2RefreshToken这段代码是来判断刷新token是否是带有有效期时间的ExpiringOAuth2RefreshToken实例对象,我们可以
看到上面自定义的生成refresh_token的实例对象是OAuth2RefreshToken类型,只带有一个refresh_token值,而没有有效时间的字段值,我们看下ExpiringOAuth2RefreshToken类的源码:

package org.springframework.security.oauth2.common;

import java.util.Date;

public interface ExpiringOAuth2RefreshToken extends OAuth2RefreshToken {
    Date getExpiration();
}

可以看到ExpiringOAuth2RefreshToken是OAuth2RefreshToken的子类,所以我们可以将生成的refresh_token实例对象更改为ExpiringOAuth2RefreshToken对象,代码如下:

/**
 * 重新定义令牌token
 */
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
    if (accessToken instanceof DefaultOAuth2AccessToken) {
        DefaultOAuth2AccessToken token = (DefaultOAuth2AccessToken) accessToken;
        token.setValue(getToken());
        //使用DefaultExpiringOAuth2RefreshToken类生成refresh_token,自带过期时间,否则不生效,refresh_token一直有效
        DefaultExpiringOAuth2RefreshToken refreshToken = (DefaultExpiringOAuth2RefreshToken) token.getRefreshToken();
        //OAuth2RefreshToken refreshToken = token.getRefreshToken();
        if (refreshToken instanceof DefaultExpiringOAuth2RefreshToken) {
            token.setRefreshToken(new DefaultExpiringOAuth2RefreshToken(getToken(), refreshToken.getExpiration()));
        }
        Map<String, Object> additionalInformation = Maps.newHashMap();
        additionalInformation.put("client_id", authentication.getOAuth2Request().getClientId());
        //添加额外配置信息
        token.setAdditionalInformation(additionalInformation);
        return token;
    }
    return accessToken;
}

经测试上面的方案完美解决自定义token生成refresh_token永不过期问题

本文转载参考 原文 并加以调试

版权声明:
作者:Joe.Ye
链接:https://www.appblog.cn/index.php/2023/03/20/spring-security-oauth2-redis-storage-token-refresh-token-never-expires-problem-resolution/
来源:APP全栈技术分享
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
打赏
海报
Spring Security OAuth2 Redis存储token refresh_token永不过期问题解决
OAuth2AccessToken接口的默认实现是DefaultOAuth2AccessToken类(自带过期时间属性) OAuth2RefreshToken接口的默认实现是DefaultOAuth2RefreshToken类(不带……
<<上一篇
下一篇>>
文章目录
关闭
目 录