How to add(overwrite) expiry time for oAuth2 access token in spring + java

Question

I have a situation where the authorisation server is not returning expires_in field to the token response, but the token expires after certain time. Can I set this manually somewhere in my code ?

Below is my code for ROPC.

@Bean(name = “myROPCRestTemplate")
public OAuth2RestTemplate myROPCRestTemplate() {
   OAuth2RestTemplate restTemplate = new OAuth2RestTemplate(myPasswordResourceDetails());
   restTemplate.setAccessTokenProvider(getAccessTokenProvider());
   return restTemplate;
}

private AccessTokenProvider getAccessTokenProvider() {
    ResourceOwnerPasswordAccessTokenProvider resourceOwnerPasswordAccessTokenProvider = new ResourceOwnerPasswordAccessTokenProvider();
    return new AccessTokenProviderChain(Collections.singletonList(resourceOwnerPasswordAccessTokenProvider));
}

private OAuth2ProtectedResourceDetails myPasswordResourceDetails() {
   ResourceOwnerPasswordResourceDetails resource = new ResourceOwnerPasswordResourceDetails();
   resource.setAccessTokenUri(tokenUrl);
   resource.setClientId(clientId);
   resource.setClientSecret(clientSecret);
   resource.setUsername(username);
   resource.setPassword(password);
   resource.setClientAuthenticationScheme(AuthenticationScheme.form);
   resource.setGrantType("password");
   return resource;
}

My problem is, there is no expiry time in the response from auth server. So, the framework consider it as no expiry. But the token expires after 24 hours. — Abbin Varghese, Feb 17 '20 at 09:20

score 1 · Answer 1 · answered Apr 08 '20 at 13:34

I know this is an old question but maybe someone need to override AccessToken implementation which is DefaultOAuth2AccessToken under spring security oauth2 autoconfigure project, here is the one workaround that we used Our approach was not extend default access token or override new accesstoken from scratch with using OAuth2AccessToken, instead create ClientContext which is extend DefaultOAuth2ClientContext and make necessary changes on same AccessToken during set operation. Here is the code sample, first extends client context, create a new component and make neccessary changes in setAccessToken (in this case setting exiparation) :

@Component
public class MyOAuth2ClientContext extends DefaultOAuth2ClientContext {

  @Override
  public void setAccessToken(OAuth2AccessToken accessToken) {
    DefaultOAuth2AccessToken dxpAccessToken = new DefaultOAuth2AccessToken(accessToken);
    dxpAccessToken.setExpiration(new Date());
    super.setAccessToken(dxpAccessToken);
  }
}

And finaly use this context when constructing your OAuth2RestTemplate use your own context :

@Configuration
public class MyWebConfiguration {

  @Resource MyOAuth2ClientContext myOAuth2ClientContext;

  @Bean
  @ConfigurationProperties("spring.security.oauth2.client.authserver")
  protected ClientCredentialsResourceDetails authServerDetails() {
    return new ClientCredentialsResourceDetails();
  }


  @Bean(name = "myRestTemplate")
  protected RestTemplate myRestTemplate() {
    return new OAuth2RestTemplate(authServerDetails(), myOAuth2ClientContext);
  }

}

Hope this will be helpful.

score 0 · Answer 2 · answered Apr 08 '20 at 13:42

You could register a DefaultTokenServices bean and configure it:

    @Bean
    @Primary
    public DefaultTokenServices tokenServices() {
        DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
        defaultTokenServices.setAccessTokenValiditySeconds(3600); // valid for one hour
        return defaultTokenServices;
    }

How to add(overwrite) expiry time for oAuth2 access token in spring + java

2 Answers2