1

Looking at the documentation you need to POST to /oauth/access_token

POST /myApp/oauth/access_token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ....

That example doesn't send the BEARER token with the request, but with grails 4.0.5 and spring-security-rest-3.0.1, when I try to refresh the token, the request gets denied unless I include the current bearer token.

If the current bearer token is expired, the refresh message gets rejected for trying to use an expired token.

I'm using the following filterChain (straight from the docs)

        // stateless chain
        [
                pattern: '/**',
                filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'
        ],

There are some other entries in the docs about setting up ANONYMOUS_ACCESS, but that ends up creating a session, and causes some other weirdness I can't quite figure out yet.

Is there some other configuration to make the "/oauth/access_token" endpoint work like the "/api/login" request?

burns
  • 1,091
  • 13
  • 15
  • One standard way of dealing with this problem is to use a _refresh_ token, whose expiry is set to be a bit after the expiry of the access token. When the expiry time of the access token draws near, your application would send, under the hood, the refresh token to the server to request a new access token. This way, you don't have to force your users to logout mid-session. – Tim Biegeleisen Nov 08 '20 at 03:19
  • Thanks @TimBiegeleisen. I'm specifically curious about how to use the refresh token after the bearer token has expired. From what I've been reading you should be able to generate a new one with the refresh token even if your bearer token has expired. I just can't get it to work in practice. – burns Nov 10 '20 at 08:15
  • ...refresh tokens can sometimes expire too. So, if that be the case, then they won't work, and your user will have to redirected back to login. – Tim Biegeleisen Nov 10 '20 at 08:20
  • right. I have a bearer token that is expired, and a refresh token that is still valid. using grails spring security rest I am unable to get a new token using the /oauth/access_token URL. It appears to require a non-expired bearer token in the headers. – burns Nov 10 '20 at 15:53

0 Answers0