Geek Answers Handbook

Spring Oauth2 - multiple tokens per client identifier

We implemented the server API using spring -oauth2. I noticed that the server generates the same token for each user / client identifier combination, even when called from separate devices. This causes a problem, as my clients can run multiple instances: for example. Android and ios apps. I need a way to associate a token with a specific instance, and not reuse the same token.

An example where this is required is GCM (or push notification), where the API needs to know which instance it is communicating with.

This is my current spring config:

<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" entry-point-ref="oauthAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> <anonymous enabled="false" /> <http-basic entry-point-ref="oauthAuthenticationEntryPoint" /> <!-- include this only if you need to authenticate clients via request parameters --> <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> <access-denied-handler ref="oauthAccessDeniedHandler" /> </http> <oauth:authorization-server client-details-service-ref="mongoclientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler"> <!-- authorization-endpoint-url="/oauth/authorize" token-endpoint-url="/oauth/token"> --> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server>

I prefer not to give each client a different identifier, as that would be impractical. Any ideas?

+5
source share
2 answers

Thus, DefaultAuthenticationKeyGeneration uses client_id and scope to create a key and, if it matches the request for the token, it serves the previously generated token. So in your case you can have ios, android and device id for areas.

Here is my code

 @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { ..... @Override public void configure(ClientDetailsServiceConfigurer clients) { clients.inMemory() .withClient("my-trusted-client-with-secret") .authorizedGrantTypes("client_credentials") .authorities("ROLE_CLIENT", "ROLE_TRUSTED_CLIENT") //.scopes("read", "write", "trust") .secret("somesecret") .accessTokenValiditySeconds(3600); } }

tests

 » curl -H "Accept: application/json" my-trusted-client-with-secret: somesecret@localhost :8080/auth/oauth/token -d grant_type=client_credentials -d custid=1 -d siteid=2D -d scope="y" {"access_token":"cust:site1:2D","token_type":"bearer","expires_in":3282,"scope":"y"}% » curl -H "Accept: application/json" my-trusted-client-with-secret: somesecret@localhost :8080/auth/oauth/token -d grant_type=client_credentials -d custid=1 -d siteid=3D -d scope="z" {"access_token":"cust:site1:3D","token_type":"bearer","expires_in":3290,"scope":"z"}% » curl -H "Authorization: Bearer cust:site:3D" http://localhost:8080/dtn-auth/home {"error":"invalid_token","error_description":"Invalid access token: cust:site:3D"}% » curl -H "Authorization: Bearer cust:site1:3D" http://localhost:8080/dtn-auth/home Hello World% » curl -H "Authorization: Bearer cust:site1:2D" http://localhost:8080/dtn-auth/home Hello World%

As you can see, I was able to generate several tokens for the same client_id, and both of these tokens were authenticated to access the resource from the resource server.

+6
source

I think that you can use device identifiers in your request and generate a token for each identifier, or you can get a flag that determines the type of device that calls your api (Android, IOS) and generates a token for each platform.

0
source

More articles:


All Articles