Oauth2 Password Mode Authorization
The difference between the password mode (Resource Owner Password Credentials) and the authorization code mode is that the authorization code is no longer used to apply for the token, but the
token can be applied directly through the user name and password.
The test is as follows:
Post request: http://localhost:40400/auth/oauth/token
parameters:
grant_type
: password mode authorization fill in password
username
: account
password
: password
and this link needs to use http Basic authentication.
The above parameters are transmitted in x-www-form-urlencoded mode, and the postman test is as follows:
Note: When the token has not expired, the same user applies for a token again and no new token will be issued.
check token
Spring Security Oauth2 provides endpoints for validating tokens, as follows:
Get: http://localhost:40400/auth/oauth/check_token?token=xxx
Parameters:
token
: Token
Use postman to test as follows:
The result is as follows:
exp
: Expiration time, long type, the number of seconds from 1970 (new Date().getTime() can get the number of milliseconds from the current time to 1970).
user_name
: Username
client_id
: client Id, configured in oauth_client_details
scope
: client scope, configured in the oauth_client_details table
jti
: unique identifier corresponding to the token
companyIduserpicnameutypeid
: these fields are user identity information extended by this authentication service on the basis of Spring Security
{
"companyId": null,
"userpic": null,
"user_name": "mrt",
"scope": [
"app"
],
"name": null,
"utype": null,
"id": null,
"exp": 1531254828,
"jti": "6a00f227‐4c30‐47dc‐a959‐c0c147806462",
"client_id": "XcWebApp"
}
refresh token
Refresh token is to regenerate a token when the token is about to expire. It is different from authorization code authorization and password authorization to generate tokens. Refresh tokens do not require authorization codes or account numbers and passwords. Only a refresh token is required. Client id and client secret.
The test is as follows:
Post:http://localhost:40400/auth/oauth/token
Parameters:
grant_type
: fixed as refresh_token
refresh_token
: refresh token (not access_token, but refresh_token)
If the refresh token is successful, a new access token and refresh token will be regenerated, and the validity period of the token is also longer than that of the old token.
Refresh tokens are usually refreshed when the token is about to expire.