There is a guide how to implement OAuth2 using Spring and Spring Boot https://spring.io/guides/tutorials/spring-boot-oauth2/
I need to store OAuth2 information like accessToken, refreshToken in my database for future use. Right now I can only get accessToken. I can't figure out how to get refreshToken based on this guide.
What is the proper way to get refreshToken using approach described in this guide ?
UPDATED
I have an access to refreshToken in OAuth2ClientAuthenticationProcessingFilter.attemptAuthentication method but only accessToken is paased to ResourceServerTokenServices.loadAuthentication method.
Right now I don't understand how to get OAuth2 information based on this approach after successful authorization in Facebook and to reuse it for Facebook API calls. Please advise.
UPDATED
I have added JdbcClientTokenServices to my SSO filter but it doesn't work
private Filter ssoFilter(ClientResources client, String path) {
OAuth2ClientAuthenticationProcessingFilter clientFilter = new OAuth2ClientAuthenticationProcessingFilter(path);
OAuth2RestTemplate oAuth2RestTemplate = new OAuth2RestTemplate(client.getClient(), oauth2ClientContext);
//
AccessTokenProviderChain tokenProviderChain = new AccessTokenProviderChain(new ArrayList<>(Arrays.asList(new AuthorizationCodeAccessTokenProvider())));
tokenProviderChain.setClientTokenServices(new JdbcClientTokenServices(dataSource));
oAuth2RestTemplate.setAccessTokenProvider(tokenProviderChain);
//
clientFilter.setRestTemplate(oAuth2RestTemplate);
clientFilter.setTokenServices(new OkUserInfoTokenServices(okService, client.getClient().getClientId(), apiUrl, eventService));
clientFilter.setAuthenticationSuccessHandler(new UrlParameterAuthenticationHandler());
return clientFilter;
}
First of all: when working with OAuth2 it is necessary to have a good understanding of how the protocol works. It's not too difficult, but you need to have a good grasp of it to be able to work with it. In my opinion the best point of reference is the specification itself: https://www.rfc-editor.org/rfc/rfc6749
In response to the conversation below and the existing pull request https://github.com/spring-projects/spring-security-oauth/pull/499 I would (as long as the pull request isn't released) subclass OAuth2ClientAuthenticationProcessingFilter and include the changes as per pull request, then use that class in the ssoFilter method.
Thus:
package com.example;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter;
import org.springframework.security.oauth2.client.token.ClientTokenServices;
public class OAuth2ClientAuthenticationProcessingAndSavingFilter extends OAuth2ClientAuthenticationProcessingFilter {
private ClientTokenServices clientTokenServices;
public OAuth2ClientAuthenticationProcessingAndSavingFilter(String defaultFilterProcessesUrl, ClientTokenServices clientTokenServices) {
super(defaultFilterProcessesUrl);
this.clientTokenServices = clientTokenServices;
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
FilterChain chain, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
if (clientTokenServices != null) {
clientTokenServices.saveAccessToken(restTemplate.getResource(), SecurityContextHolder.getContext()
.getAuthentication(), restTemplate.getAccessToken());
}
}
}
and
private Filter ssoFilter(ClientResources client, String path) {
OAuth2ClientAuthenticationProcessingAndSavingFilter clientFilter = new OAuth2ClientAuthenticationProcessingAndSavingFilter(path, clientTokenService);
...
and add a bean for your clientTokenService