同事有问到Oauth2 token过期时间多少,查看了一下资料和源码,整理如下。

应用(client)向Oauth2获取token的时候,会根据各个应用的配置(ClientDetail)设置token的过期时间。

参考BaseClientDetails中的字段定义:

1
2
3
4
5
6
7
8
9
10
public class BaseClientDetails implements ClientDetails {

@org.codehaus.jackson.annotate.JsonProperty("access_token_validity")
@com.fasterxml.jackson.annotation.JsonProperty("access_token_validity")
private Integer accessTokenValiditySeconds;

@org.codehaus.jackson.annotate.JsonProperty("refresh_token_validity")
@com.fasterxml.jackson.annotation.JsonProperty("refresh_token_validity")
private Integer refreshTokenValiditySeconds;
}

对应db中OAUTH_CLIENT_DETAIL表中的access_token_validity和refresh_token_validity字段。
分别表示token和refresh token的过期时间。这两个字段在创建token的时候会被使用到,参考DefaultTokenServices中的以下方法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
ConsumerTokenServices, InitializingBean {

private int refreshTokenValiditySeconds = 60 * 60 * 24 * 30; // default 30 days.

private int accessTokenValiditySeconds = 60 * 60 * 12; // default 12 hours.

private OAuth2RefreshToken createRefreshToken(OAuth2Authentication authentication) {
if (!isSupportRefreshToken(authentication.getOAuth2Request())) {
return null;
}
int validitySeconds = getRefreshTokenValiditySeconds(authentication.getOAuth2Request());
String value = UUID.randomUUID().toString();
if (validitySeconds > 0) {
// 过期时间 = 当前时间 + 配置值
return new DefaultExpiringOAuth2RefreshToken(value, new Date(System.currentTimeMillis()
+ (validitySeconds * 1000L)));
}
return new DefaultOAuth2RefreshToken(value);
}

private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
int validitySeconds = getAccessTokenValiditySeconds(authentication.getOAuth2Request());
if (validitySeconds > 0) {
// 过期时间 = 当前时间 + 配置值
token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
}
token.setRefreshToken(refreshToken);
token.setScope(authentication.getOAuth2Request().getScope());

return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
}

/**
* The access token validity period in seconds
*
* @param clientAuth the current authorization request
* @return the access token validity period in seconds
*/
protected int getAccessTokenValiditySeconds(OAuth2Request clientAuth) {
if (clientDetailsService != null) {
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
Integer validity = client.getAccessTokenValiditySeconds();
if (validity != null) {
// 返回配置值
return validity;
}
}
// 返回默认值
return accessTokenValiditySeconds;
}

/**
* The refresh token validity period in seconds
*
* @param clientAuth the current authorization request
* @return the refresh token validity period in seconds
*/
protected int getRefreshTokenValiditySeconds(OAuth2Request clientAuth) {
if (clientDetailsService != null) {
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
Integer validity = client.getRefreshTokenValiditySeconds();
if (validity != null) {
// 返回配置值
return validity;
}
}
// 返回默认值
return refreshTokenValiditySeconds;
}

}

access_token_validity和refresh_token_validity均按照秒数进行配置,过期时间为当前时间加配置秒数值。

  • 如果 access_token_validity 为空,则access token 过期时间默认为12小时;
  • 如果 access_token_validity 为0,则access token 永远不会过期;
  • 如果 refresh_token_validity 为空,则refresh token 过期时间为30天;
  • 如果 refresh_token_validity 为0,则refresh token 永远不会过期;