How to separate access token and refresh token endpoint in spring security oauth2

2
votes

In spring security oauth2, get access token and refresh token use the same endpoint '/oauth/token',and recognized by parameter grant_type 'code' or 'refresh_token'.

        if (isAuthCodeRequest(parameters)) {
            // The scope was requested or determined during the authorization step
            if (!tokenRequest.getScope().isEmpty()) {
                logger.debug("Clearing scope of incoming token request");
                tokenRequest.setScope(Collections.<String> emptySet());
            }
        }

        if (isRefreshTokenRequest(parameters)) {
            // A refresh token has its own default scopes, so we should ignore any added by the factory here.
            tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
        }

But I want to separate this endpoint in to two, like 'oauth/access_token' for get access token,and 'oauth/refresh_token' for refreh access token. How can I do it ?

I hava tried to write my custom endpoint class,and register bean to override the default TokenEndpoint , but seem doesn't work well.

1
javaspringoauth-2.0spring-security-oauth2

1 Answers

-1
votes

You can make two rest controller methods for access token and refresh token and use rest template to make the standard call to oauth/token endpoint inside relevant controller method.

@RestController
public class TokenController {

    @RequestMapping("oauth/access_token")
    public TokenResponse getAccessToken() {
        //use rest template or httpclient to call to oauth/token and return converted TokenResponse
    }

    @RequestMapping("oauth/refresh_token")
    public TokenResponse getRefreshToken() {
        //use rest template or httpclient to call to oauth/token and return converted TokenResponse
    }
}