问题
I am wondering what's the best way to this. My scenario is the following:
I have separate oath2 server and resource server sharing the auth information via database. The user authentication is being made by a provider that extends from AbstractUserDetailsAuthenticationProvider. Whenever I build UserDetails object, I attach the authorities to that user details. The thing is, a specific call to my resource server might change the user authorities. As far as I understand the UserDetails is stored serialized in the database which it seems to make the process even more difficult.
My question: is that a way of doing this right? Or better, is the API prepared to handle such requirement? If not what are my options here?
Also note that the server that will make somehow a possible change in the authorities is the resource server and not the one running the oauth2 stuff.
回答1:
I suppose the way you handle this depends on your business requirements. An access token is a bit like a session - it expires and it can be revoked in one way or another. Most easily the approvals can be revoked and the refresh token thereby disabled, so the most straightforward way to handle the authority change is to use a short expiry for the access token and re-load the authorities when you refresh. (The 2.0.7 snapshots have some configuration options to make that easy or automatic, but it's work in progress.)
来源:https://stackoverflow.com/questions/28947285/oauth2-reload-user-authorities