Geek Answers Handbook

Cancel JWT Oauth2 Update Token

I am trying to find a way to revoke the Oauth2 JWT Refresh Token with the implementation of willa Spring and JwtTokenStore.

First: can anyone confirm that the API is not like the / oauth / token, which allows me to invalidate the update token?

I wanted to add a custom API that will remove the update token along the following lines:

OAuth2RefreshToken oauth2RefreshToken=tokenStore.readRefreshToken(refreshToken); tokenStore.removeRefreshToken(oauth2RefreshToken);

Now, looking at the JwtTokenStore, I noticed that it uses a CertificateStore. So I went ahead and provided InMemoryApprovalStore with my JwtTokenStore. My implementation of JwtTokenStore is as follows:

 @Bean protected JwtAccessTokenConverter jwtTokenEnhancer() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey("123456"); return converter; } @Bean public JwtTokenStore getTokenStore(){ tokenStore= new JwtTokenStore(jwtTokenEnhancer()); tokenStore.setApprovalStore(new InMemoryApprovalStore()); tokenStore.setTokenEnhancer(jwtTokenEnhancer()); return tokenStore; };

Results: without InMemoryApprovalStore, I can authenticate users and update tokens without problems. However, as soon as I add InMemoryApprovalStore to the token store, I begin to receive the following error message:

 {"error":"invalid_grant","error_description":"Invalid refresh token: eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NDUwMjQ2MTcsInVzZXJfbmFtZSI6IjYzZjIyYjZlLWU5MGUtNDFjYS1iYzJlLTBmZTgzNmY3MTQ2NyIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMjgwMDgwNWQtMjk1Zi00ZDQzLWI2NTYtMDNlZWYwMWFkMjg0IiwiY2xpZW50X2lkIjoid2ViLWNsaWVudCIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSIsInRydXN0Il19.BPC0HqLYjWGM0IFjvsUGGKQ9dyIXSXwMhraCVFIxD0U"}

My second question, therefore, is the correct way to revoke an update token?

Edit: I found the following thread , which suggests that ApprovalStore is really a way to cancel JWT tokens. Now I just need to figure out how to use them correctly.

+7
spring-boot spring-security spring-security-oauth2
source share
1 answer

First: can anyone confirm that the API is not like the / oauth / token, which allows me to invalidate the update token?

Confirmed .

You don't need to define a JwtTokenStore bean, spring will create it for you using AuthorizationServerEndpointsConfigurer

 private TokenStore tokenStore() { if (tokenStore == null) { if (accessTokenConverter() instanceof JwtAccessTokenConverter) { this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter()); } else { this.tokenStore = new InMemoryTokenStore(); } } return this.tokenStore; } private ApprovalStore approvalStore() { if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) { TokenApprovalStore tokenApprovalStore = new TokenApprovalStore(); tokenApprovalStore.setTokenStore(tokenStore()); this.approvalStore = tokenApprovalStore; } return this.approvalStore; }

My second question, therefore, is the correct way to revoke an update token?

cancels the statement for the token, it was used by JwtTokenStore

 private void remove(String token) { if (approvalStore != null) { OAuth2Authentication auth = readAuthentication(token); String clientId = auth.getOAuth2Request().getClientId(); Authentication user = auth.getUserAuthentication(); if (user != null) { Collection<Approval> approvals = new ArrayList<Approval>(); for (String scope : auth.getOAuth2Request().getScope()) { approvals.add(new Approval(user.getName(), clientId, scope, new Date(), ApprovalStatus.APPROVED)); } approvalStore.revokeApprovals(approvals); } } }
+2
source share

More articles:


All Articles