Announcement Announcement Module
No announcement yet.
Making an access token long lived Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Making an access token long lived


    Could anyone let me know how to make the access token long lived i.e with infinite expiry time so that each time the client accesses the service provider he is indirectly authenticated on behalf of the user and niether does he get the Authorize/Deny page.

    Also, in sparklr and tonr samples of oauth for spring security I have implemented RandomValueOAuth2ProviderTokenServices interface so as to manage the persisting of the tokens in the database . Here, I would like to check whether the user on the service provider has already authorized for a particular client, in case of which he should not be again redirected to Authorize/Deny page. Could anyone let me know where exactly I should be doing this check?


  • #2
    To make a non-expiring access token you need to provide a null expiration to OAuth2AccessToken when you create it in your OAuth2ProviderTokenServices.

    To remember authorization decisions for individual client/user combinations is a new feature in the framework. You could open a JIRA ticket to track it, and if you also implement something yourself you could contribute it back to the project. I need it for a project I am working on as well, but it isn't the top priority right now.


    • #3
      Thanks for the quick reply.
      What I also want is that for a non-expiring access token when the client accesses the service provider with that particular token he should be indirectly be authenticated on behalf of the user and niether does he get the Authorize/Deny page and should directly access the resources on the service provider with this long lived token. I guess this would require saving the long lived token in the datastore for each user on the service provider.
      Is this possible now in sparklr and tonr samples?
      Could you please give a few inputs on the same.



      • #4
        Everything is possible ;-). In fact, I think if the access token is non-expiring it probably should just work, as long as the user is authenticated. If I'm right about that, sparklr2 just needs your enhanced OAuth2ProviderTokenServices. Did you try it?


        • #5
          Yes i have implemented OAuth2ProviderTokenServices for my own custom TokenServices Provider and have set the expiration date to null with
          private boolean isExpired(OAuth2AccessToken accessToken) {
          			    return System.currentTimeMillis() > accessToken.getExpiration().getTime();
          				return false;
          So in this case my token will never expire.
          Now i need a requirement in such a way that the client itself should pass this long lived Access token without the service provider prompting for authentication.
          This requirement is same as the offline_access permission provided by other providers such as facebook.
          So how can we implement this in sparklr?



          • #6
            Authentication is a different concern to OAuth2 authorization and it should be orthogonal. Sparklr is a bit of a strange place to be testing this because it is both an authorization server and a resource server. But you should be able to switch off authentication for whatever set of URLs you want to make available only to your "offline" clients - it's pretty much a standard Spring Security feature set. To prevent online access you will need to use the ScopeVoter (as is already demonstrated in Sparklr2).


            • #7
              I was just going through the oauth doc and observed that "Resource Owner Password Credentials" way of obtaining authorization may serve this requirement.
              To just give a try, I changed the type attribute of oauth:resource in tonr application as
              <oauth:resource id="sparklr" type="password" clientId="tonr" clientSecret="secret" accessTokenUri="${accessTokenUri}" scope="read" />
              As specified in the doc "The resource owner password credentials (i.e. username and password) can be used directly as an authorization grant to obtain an access token."
              Where can I specify the username and password?
              Also, changed the authorizedGrantTypes of tonr client in sparklr application to password.
              But I get the following exception:
     ccessTokenRequiredException: No OAuth 2 security context has been established. Unable to access resource 'sparklr'.
              Could you please help me out on how to implement this?



              • #8
                There is no client side support for password grants. You just send a request to the token endpoint (as per the spec) and get back a token. E.g.

                $ curl -s -L -H "Accept: application/json" localhost:8080/sparklr/oauth/token?grant_type=password\&client_id=...\&username=...\&password=...\&response_type=code\&scope=...
                (The URL above is the new default as of yesterday - older snapshots use /oauth/authorize for the token endpoint.)


                • #9
                  Thanks Dave.