为什么implicit模式下ImplicitAccessTokenProvider.obtainAccessToken方法里要调用父类retrieveToken方法,
父类retrieveToken方法使用restTemplate请求的是accessTokenUri接口,这一定不会成功,因为缺少了grant_type参数,
即使加上了grant_type,accessTokenUri接口也会返回失败(TokenEndpoint.postAccessToken的115行),
那么为什么不直接调用/oauth/authorize呢,难道要开发者将/oauth/authorize配置到security.oauth2.client.access-token-uri吗?
这明显不符合常理啊
ImplicitAccessTokenProvider的obtainAccessToken方法
public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest request)
throws UserRedirectRequiredException, AccessDeniedException, OAuth2AccessDeniedException {
ImplicitResourceDetails resource = (ImplicitResourceDetails) details;
try {
// We can assume here that the request contains all the parameters needed for authentication etc.
OAuth2AccessToken token = retrieveToken(request,
resource, getParametersForTokenRequest(resource, request), getHeadersForTokenRequest(request));
if (token==null) {
// Probably an authenticated request, but approval is required. TODO: prompt somehow?
throw new UserRedirectRequiredException(resource.getUserAuthorizationUri(), request.toSingleValueMap());
}
return token;
}
catch (UserRedirectRequiredException e) {
// ... but if it doesn't then capture the request parameters for the redirect
throw new UserRedirectRequiredException(e.getRedirectUri(), request.toSingleValueMap());
}
}
OAuth2AccessTokenSupport的retrieveToken方法
protected OAuth2AccessToken retrieveToken(AccessTokenRequest request, OAuth2ProtectedResourceDetails resource,
MultiValueMap form, HttpHeaders headers) throws OAuth2AccessDeniedException {
try {
// Prepare headers and form before going into rest template call in case the URI is affected by the result
authenticationHandler.authenticateTokenRequest(resource, form, headers);
// Opportunity to customize form and headers
tokenRequestEnhancer.enhance(request, resource, form, headers);
final AccessTokenRequest copy = request;
final ResponseExtractor delegate = getResponseExtractor();
ResponseExtractor extractor = new ResponseExtractor() {
@Override
public OAuth2AccessToken extractData(ClientHttpResponse response) throws IOException {
if (response.getHeaders().containsKey("Set-Cookie")) {
copy.setCookie(response.getHeaders().getFirst("Set-Cookie"));
}
return delegate.extractData(response);
}
};
return getRestTemplate().execute(getAccessTokenUri(resource, form), getHttpMethod(),
getRequestCallback(resource, form, headers), extractor , form.toSingleValueMap());
}
catch (OAuth2Exception oe) {
throw new OAuth2AccessDeniedException("Access token denied.", resource, oe);
}
catch (RestClientException rce) {
throw new OAuth2AccessDeniedException("Error requesting access token.", resource, rce);
}
}
两个uri的配置
security.oauth2.client.access-token-uri=http://localhost:8080/oauth/token
security.oauth2.client.user-authorization-uri=http://localhost:8080/oauth/authorize
请问谁能解答,不胜感激