Announcement Announcement Module
No announcement yet.
Not getting refresh token back from service Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Not getting refresh token back from service

    I am calling a REST based web service which is Oauth2 protected. client is a simple Java standalone client(which uses RestTemplate). Below is the calling code and configuration. I use the /oauth/token url to get the token.
    Grant types for my client are set as 'client_credentials,refresh_token' in DB.
    When I try to get the refresh token from the token sent back I am seeing that it is null. I am seeing that refresh token is getting written in the DB tables -oauth_access_token, oauth_refresh_token by the service. Please advice where it is getting lost. Am I missing any config here ?
    Service side config for Spring-security and Oauth :
    <?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="" xmlns:xsi=""
    	xmlns:oauth="" xmlns:sec=""
    	<http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="authenticationManager"
    		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    		<anonymous enabled="false" />
    		<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    		<access-denied-handler ref="oauthAccessDeniedHandler" />
    	<!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
    		separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
    	<http pattern="/ws/claims/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
    		access-decision-manager-ref="accessDecisionManager" xmlns="">
    		<anonymous enabled="false" />
    		<intercept-url pattern="/ws/claims/**" access="ROLE_CLIENT,SCOPE_READ" />
    		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    		<access-denied-handler ref="oauthAccessDeniedHandler" />
    	<bean id="oauthAuthenticationEntryPoint" class="">
    		<property name="realmName" value="claimhistory" />
    	<bean id="clientAuthenticationEntryPoint" class="">
    		<property name="realmName" value="claimhistory/client" />
    		<property name="typeName" value="Basic" />
    	<bean id="oauthAccessDeniedHandler" class="" />
    	<bean id="clientCredentialsTokenEndpointFilter" class="">
    		<property name="authenticationManager" ref="authenticationManager" />
    	<bean id="accessDecisionManager" class="" xmlns="">
    				<bean class="" />
    				<bean class="" />
    				<bean class="" />
    	<authentication-manager alias="authenticationManager" xmlns="">
    		<authentication-provider user-service-ref="clientDetailsUserService" />
    	<bean id="clientDetailsUserService" class="">
    		<constructor-arg ref="clientDetails" />
    	<bean id="tokenStore" class="">
    		 <constructor-arg index="0"><ref bean="dataSource"/></constructor-arg>
    	<bean id="tokenServices" class="">
    		<property name="tokenStore" ref="tokenStore" />
    		<property name="supportRefreshToken" value="true" />
    		<property name="clientDetailsService" ref="clientDetails" />
    	<bean id="userApprovalHandler" class="">
    		<property name="tokenServices" ref="tokenServices" />
    	<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
    		<oauth:authorization-code />
    		<oauth:implicit />
    		<oauth:refresh-token />
    		<oauth:client-credentials />
    		<oauth:password />
    	<oauth:resource-server id="resourceServerFilter" resource-id="claimhistory" token-services-ref="tokenServices" />
    	<bean id="clientDetails" class="">
    		<constructor-arg index="0"><ref bean="dataSource"/></constructor-arg>
    	<mvc:annotation-driven />
    	<mvc:default-servlet-handler />
    	<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
    		<!--you could also wire in the expression handler up at the layer of the http filters. See -->
    		<sec:expression-handler ref="oauthExpressionHandler" />
    	<oauth:expression-handler id="oauthExpressionHandler" />
    	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
    	<!--Basic application beans. -->
    	<bean id="viewResolver" class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
    		<property name="mediaTypes">
    				<entry key="json" value="application/json" />
    		<property name="viewResolvers">
    			<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
    				<property name="prefix" value="/WEB-INF/jsp/"></property>
    				<property name="suffix" value=".jsp"></property>
    		<property name="defaultViews">
    			<bean class="org.springframework.web.servlet.view.json.MappingJacksonJsonView">
    				<property name="extractValueFromSingleKeyModel" value="true" />
    	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
    		<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
    		<property name="url" value=""/>
    		<property name="username" value="liferayAppUserQ"/>
    		<property name="password" value="W3lc0m301"/>
    //Client calling code : 
    ClientCredentialsResourceDetails resource = new ClientCredentialsResourceDetails();
    		resource.setClientId("my-client-with-secret"); //my-client-with-registered-redirect
    		System.out.println("is client only -- > " + resource.isClientOnly());	
    		OAuth2RestTemplate template2 = new OAuth2RestTemplate(resource);
    		OAuth2AccessToken oldToken = template2.getAccessToken();
    		System.out.println("Token value ->"+oldToken.getValue());
    		System.out.println("Token type ->"+oldToken.getTokenType());
                     //refresh token is null here
    		System.out.println("refresh token -- > " + oldToken.getRefreshToken().getValue());

  • #2
    The spec says that client credentials are not allowed to get a refresh token (that's a quote from a comment in the token granter). It's hard to see why you'd need it, since by definition you trust a client that can get a token this way and wouldn't expect it to leak access tokens.


    • #3
      Ok. So then I will set up a validity for access token. Once that expires , I will send a new request for getting the access token.
      Does that sound correct ?


      • #4
        Sounds perfectly valid to me. If you use Spring OAuth as a client you should get the new token for free next time you access the resource and the old token has expired.