Announcement Announcement Module
No announcement yet.
DefaultTokenServices - Creating custom access and refresh token values Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • DefaultTokenServices - Creating custom access and refresh token values

    Good morning,

    I am working on integrating Spring Security OAuth 2.0 into my application and had some custom requirements for generating the custom values for the access and refresh tokens instead of using UUID.randomUUID().toString().

    As it stands now, the DefaultTokenServices has two private methods, createRefreshToken and createAccessToken. Since both of these are marked as private it makes it more difficult to generate a custom value for the access and the refresh tokens. I was thinking about using the TokenEnhancer to be able to overwrite the value of the accessToken with my custom value, but the same can't be done for the refreshToken.

    Does it make sense to introduce a something like a TokenGenerationStrategy interface that would be responsible for knowing how to create the string value of the token?

    public interface TokenGenerationStrategy {
       public String generateAccessToken();
       public String generateRefreshToken();
    If there is some other way of doing this that I am not seeing, then I'll use that, otherwise if this sounds reasonable, I can create a JIRA issue with the details.

  • #2
    Try a TokenEnhancer. That's what most people use.


    • #3
      The TokenEnhancer will work for the access token as it can be modified after the fact, but not for the refresh token as there is only a TokenEnhancer for the accessToken.

      private ExpiringOAuth2RefreshToken createRefreshToken(OAuth2Authentication authentication) {
      		if (!isSupportRefreshToken(authentication.getAuthorizationRequest())) {
      			return null;
      		int validitySeconds = getRefreshTokenValiditySeconds(authentication.getAuthorizationRequest());
      		ExpiringOAuth2RefreshToken refreshToken = new DefaultExpiringOAuth2RefreshToken(UUID.randomUUID().toString(),
      				new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
      		return refreshToken;
      	private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
      		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
      		int validitySeconds = getAccessTokenValiditySeconds(authentication.getAuthorizationRequest());
      		if (validitySeconds > 0) {
      			token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
      		return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
      If a stragegy class can't be added to generate the string values of the token, its there a reason for not having a refreshTokenEnhancer?



      • #4
        Originally posted by mveitas View Post
        If a stragegy class can't be added to generate the string values of the token, its there a reason for not having a refreshTokenEnhancer?
        I think the reason is that a refresh token is just a string, so it is never rendered any other way and there is no enhancement to be done. On the face of it you have a point - the content of the String could encode some state for the auth server - so it's probably worth adding a strategy for that. We will be doing JWT tokens for 1.1, so it will definitely happen then (no TokenStore is needed then). In the meantime I suggest you extend DefaultTokenServices.