1

As default in spring authorization server it generate unique token each request. But the requirement is to generate same token if the previous token is still not expired, and if expired must generate new token. Is this even possible?


 RegisteredClient
                .withId(UUID.randomUUID().toString())
                .clientId("client")
                .clientSecret("{noop}secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                .clientSettings(ClientSettings.builder()
                        .tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
                        .build())
                .tokenSettings(TokenSettings.builder()
                        .accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED)
                        .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
                        .accessTokenTimeToLive(Duration.ofMinutes(30))
                        .build())
                .scope("read")
                .build();



public OAuth2AuthorizationService authorizationService() {
        return  new InMemoryOAuth2AuthorizationService();
    }
Sard
  • 73
  • 6

1 Answers1

1

In Spring Authorization Server, the generation of access token for each request is the default behavior and aligns with the OAuth 2.0 specification.

However, if you have a specific requirement to generate the same token as long as it's not expired, you can implement a custom solution.

Here's one approach:

  1. Create a custom implementation of OAuth2TokenGenerator interface to generate and manage access tokens. You can extend the existing DefaultOAuth2TokenGenerator class provided by Spring Authorization Server.

  2. Override the generateAccessToken() method in your custom token generator implementation. Within this method, check if there is a valid (not expired) access token already available. If so, return the existing token instead of generating a new one. Otherwise, delegate to the superclass (DefaultOAuth2TokenGenerator) to generate a new access token.

  3. Configure your custom token generator as the bean for OAuth2TokenGenerator in your Spring application context.

  4. Ensure that the OAuth2AuthorizationService uses your custom token generator by creating a bean of type OAuth2AuthorizationService and returning an instance of DefaultOAuth2AuthorizationService with your custom token generator injected.

Of course note that implementing such custom logic deviates from the standard OAuth 2.0 behavior and maybe introduce security risks or violate the protocol's principles.

Soheil Babadi
  • 562
  • 2
  • 4
  • 15