使用grant_type=authorization_code 方式来获取access_token, 需要先获取code
请求URI: /oauth2/token
POST
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
client_id | {client_id} | 是 | |
client_secret | {client_secret} | 是 | |
grant_type | authorization_code | 是 | 固定值 |
code | {code} | 是 | |
redirect_uri | {redirect_uri} | 是 | |
code_verifier | {code_verifier} | 否 | PKCE时必须 |
curl --location 'http://localhost:8080/oauth2/token' \ --header 'Content-Type: application/json' \ --form 'client_id="client11"' \ --form 'grant_type="authorization_code"' \ --form 'redirect_uri="http://localhost:8083/oauth2/callback"' \ --form 'code="-VEnyAcEflDxjMh4Hr-6YejZq4Mel5gihFy_FMyotDxLhILeMBQheJkL4mdJ0sKD_C8xpa_sMNGf_I2tYJIVki8a4ktT2QsHojhbV3HpbGLVhJ0qDc8kfXjWt7u_24QO"' \ --form 'client_secret="secret22"'
{ "access_token": "7154afT_cxvLDq1naSg6Aq9ueSFSW8xRr5txryW5MlddRe7nV0RogTYwPsJc_rrRqwaIvLleerLhkjtIN2E2U-4J_BzvYNCsv8BVLqeerCObwgwpP3t__NMMUakzRL2i", "refresh_token": "TZ9tzVwE_VLoJxALUSw4A4A0Nj7SLSWXCc69U9rvNmSnqR8Hbz-1m4uHebJWsAK0sa7SDIR4SNXOB3iaM0p1bH_8EBrljoBApQgdYi1uYzcVwYq55OVV2RUHN2BJwfSr", "scope": "openid profile", "id_token": "eyJraWQiOiJzb3MtZWNjLWtpZDEiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJ1bml0eSIsImF1ZCI6IjZ1ck5MZ1I2b3NrMkU1NmVrcCIsInVwZGF0ZWRfYXQiOiIiLCJhenAiOiI2dXJOTGdSNm9zazJFNTZla3AiLCJhdXRoX3RpbWUiOjE2OTc3MDczNTQsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MCIsIm5pY2tuYW1lIjoiIiwiZXhwIjoxNjk3NzA5MjA4LCJpYXQiOjE2OTc3MDc0MDgsImp0aSI6IjEyNTc0MjU2NTk4MDI2ODY2NzI3NDAwMTMxNjk5NDk0Iiwic2lkIjoidXdwN255RnJwdlNtWmlQS2hCdWVSVFZfcVRKYkN6ZjAyTmYwQTZGN1lrSSJ9.3w-7EY9SwKA-UkXlhDfD2BbSwP6nCSLZxNgKwhkkMY8YPbMkygbj374SmEmsit7NlpRXHCtW6ULZ9_IVZ9MTBg", "token_type": "Bearer", "expires_in": 3599 }
{ "error": "invalid_grant" }
使用grant_type=client_credentials 方式来获取access_token, 不需要username, password
请求URI: /oauth2/token
POST
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
client_id | {client_id} | 是 | |
client_secret | {client_secret} | 是 | |
grant_type | client_credentials | 是 | 固定值 |
scope | {scope} | 是 | 如: openid |
curl --location 'http://localhost:8080/oauth2/token' \ --header 'Content-Type: application/json' \ --form 'client_id="6urNLgR6osk2E56ekp"' \ --form 'client_secret="6urNLgR6osk2E56ekp"' \ --form 'grant_type="client_credentials"' \ --form 'scope="openid profile"'
{ "access_token": "p2i1WHiiFBCgTJFTs63OvO9-bclB9DbsgsebDo_ntMw_BAleu2RzIQzzFfaaJAR5oiL3xwN3xMyNTRZSrXM_1ANycleysPU5l3xuZ0aQX4V-Va178qg6e-PvLqLBsD_i", "scope": "openid profile", "token_type": "Bearer", "expires_in": 3599 }
{ "error": "invalid_client" }
Restful API 获取access_token, 适用于grant_type为authorization_code,password,refresh_token,client_credentials
请求URI: /oauth/rest_token
POST REST
Content-Type: application/json
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
grant_type | {grant_type} | 是 | authorization_code,password,refresh_token,client_credentials |
scope | {scope} | 是 | read or write |
client_id | {client_id} | 是 | |
client_secret | {client_secret} | 是 | |
username | {username} | 否 | grant_type=password时必须有 |
password | {password} | 否 | grant_type=password时必须有 |
{"client_id":"test1234","client_secret":"test1234","grant_type":"password","scope":"read","username":"mobile","password":"mobile"}
{"client_id":"test1234","client_secret":"test1234","grant_type":"password","scope":"read"}
正常 [200]
{"access_token":"e2996930-8398-44fd-8de5-7d1b1624ced7","token_type":"bearer","refresh_token":"2b2de701-53e7-4b57-8301-e4a06ee49698","expires_in":43008,"scope":"read"}
异常 [401]
{"error":"invalid_grant","error_description":"Bad credentials"}
校验, 检查access_token的有效性
请求URI: /oauth/check_token
POST
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
token | {access_token} | 是 | |
client_id | {client_id} | 是 |
http://localhost:8080/spring-oauth-server/oauth/check_token?token=e2996930-8398-44fd-8de5-7d1b1624ced7&client_id=mobile-client
正常 [200]
{"aud":["mobile-resource"],"exp":1505878459,"user_name":"mobile","authorities":["ROLE_MOBILE","ROLE_USER"],"client_id":"mobile-client","scope":["read","write"]}
异常 [401]
{"error":"invalid_token","error_description":"Token was not recognised"}
用于在access_token要过期时换取新的access_token (grant_type需要有refresh_token)
请求URI: /oauth/token
POST
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
client_id | {client_id} | 是 | |
client_secret | {client_secret} | 是 | |
grant_type | refresh_token | 是 | 固定值 |
refresh_token | {refresh_token} | 是 |
http://localhost:8080/spring-oauth-server/oauth/token?client_id=test1234&client_secret=test1234&grant_type=refresh_token&refresh_token=1156ebfe-e303-4572-9fb5-4459a5d46610
正常 [200]
{"access_token":"b12cace6-7ce4-4fa8-b127-cf537d15b213","token_type":"bearer","refresh_token":"2b2de701-53e7-4b57-8301-e4a06ee49698","expires_in":43199,"scope":"read"}
异常 [401]
{"error":"invalid_grant","error_description":"Invalid refresh token:
1156ebfe-e303-4572-9fb5-4459a5d46610"}
使用access_token获取用户信息, 需要有 ROLE_UNITY 权限
请求URI: /unity/user_info
GET
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
无 |
http://localhost:8080/spring-oauth-server/unity/user_info?access_token=b12cace6-7ce4-4fa8-b127-cf537d15b213
正常 [200]
{"guid":"55b713df1c6f423e842ad68668523c49","archived":false,"username":"unity","phone":"","email":"unity@wdcy.cc","privileges":["UNITY"]}
异常 [401]
<oauth><error_description>Invalid access token:
2c612eb7-a22b-45f0-8b2e-cd6f9e3667722</error_description><error>invalid_token</error></oauth>
使用access_token获取用户信息, 需要有 ROLE_MOBILE 权限
请求URI: /m/user_info
GET
参数名 | 参数值 | 必须? | 备注 |
---|---|---|---|
无 |
http://localhost:8080/spring-oauth-server/m/user_info?access_token=b12cace6-7ce4-4fa8-b127-cf537d15b213
正常 [200]
{"guid":"612025cb3f964a64a48bbdf77e53c2c1","archived":false,"username":"mobile","phone":"","email":"mobile@wdcy.cc","privileges":["MOBILE"]}
异常 [401]
<oauth><error_description>Invalid access token:
2c612eb7-a22b-45f0-8b2e-cd6f9e3667722</error_description><error>invalid_token</error></oauth>
© 2013 - 2023 spring-oauth-server