0

I would like to authenticate android application using OAuth2 in my web service. After some research I know that I should use /oauth/authorize endpoint which gives me implicit authentication. However, in the end after redirection to login page and successful login, server returns access token. After it is expired user has to login again. This is a problem in my scenario and I would like to get also refresh token to be able to use it, to get access token when the old one has expired. Is such scenario possible using spring OAuth2?

Cob
  • 171
  • 10

1 Answers1

1

In your AuthorizationServerConfiguration you should have a TokenServices bean that is implemented by DefaultTokenServices.

defaultTokenServices.setSupportRefreshToken(true); // enable refresh tokens

Then in your client configuration, be sure to set support for refresh tokens.

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("trusted-app")
            .authorizedGrantTypes("password", "refresh_token")
            .authorities("ROLE_TRUSTED_CLIENT")
            .scopes("read", "write")
            .resourceIds(resourceId)
            .accessTokenValiditySeconds(accessTokenValiditySeconds)
            .refreshTokenValiditySeconds(refreshTokenValiditySeconds)
            .secret("secret");
    }

When you request make a request to the token endpoint, it should include a refresh token.

/oauth/token?grant_type=password&username="+username+"&password="+password

This should get you a new access token

/oauth/token?grant_type=refresh_token&client_id=trusted-app&refresh_token="+refreshToken
blur0224
  • 972
  • 8
  • 26
  • In your scenario I have to give user login/password to the Android application. I would rather use /oauth/authorize endpoint which redirects to login page. That way Android application does not have to know the user login/password. – Cob Aug 31 '16 at 12:13
  • At the moment I am testing something different. I open in the browser this URL: http://localhost:8080/oauth/authorize?client_id=clientId&redirect_uri=http://localhost:8080/redirect&response_type=code I am redirected to login page and after successful login I get the code. Second step is this: curl -X POST "clientId:secret@localhost:8080/oauth/token&grant_type=authorization_code&code=6Lgq01" However, instead of getting token I am redirected to login page again. Am I doing something wrong? – Cob Aug 31 '16 at 12:25
  • Do you have control over the Spring OAuth Server or is it managed by a 3rd party? If you own both, it might make more sense to use the token end point. http://stackoverflow.com/a/36974132/2983312 I believe configuring the client to issue refresh tokens will make it include a refresh token regardless of which login type you choose. – blur0224 Aug 31 '16 at 12:30
  • Turn up the org.springframework.security logs to debug. Use this curl command curl --user name:password -X POST http://www.example.com – blur0224 Aug 31 '16 at 12:32
  • After some fight with configuration, this started working: 1. In browser to authenticate and get code: http://localhost:8080/oauth/authorize?response_type=code&client_id=clientId&redirect_uri=http://example.com 2. To exchange code into refresh/access token: curl sampleClientId:secret@localhost:8080/oauth/token -d grant_type=authorization_code -d client_id=clientId -d redirect_uri=http://example.com -d code=xxx 2. To get access token from refresh token when it has expired: curl -vu clientId:secret -X POST 'http://localhost:8080/oauth/token?grant_type=refresh_token&refresh_token=yyy – Cob Aug 31 '16 at 13:12