Reputation: 1
Remove access_token after logout in Spring Security Oauth2
I have a problem with logout in spring security and oauth2
We are securing out REST services using spring security OAuth2.The token and rest-api endpoints are stateless and do not need a session.I need my authserver only one time login verification,when i call the logout service in rest client it is showing 200 response but not removing the authorization.when i enter the user name and password agin same user should be logging.but not logouting.i cleared the context also.
here is my controller
`@Path("oauth2/logout")
public class LogoutImpl implements LogoutSuccessHandler{
private TokenStore tokenStore;
@Autowired
public LogoutImpl(TokenStore tokenStore) {
this.tokenStore = tokenStore;
}
public void setTokenStore(TokenStore tokenStore) {
this.tokenStore = tokenStore;
}
@Override
public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
removeaccess(request);
SecurityContextHolder.clearContext();
response.getOutputStream().write("\n\tYou Have Logged Out successfully.".getBytes());}
public void removeaccess(HttpServletRequest req) {
String tokens = req.getHeader("Authorization");
String value = tokens.substring(tokens.indexOf(" ")).trim();
OAuth2AccessToken token = tokenStore.readAccessToken(value.split(" ")[0]);
tokenStore.removeAccessToken(token);
System.out.println("\n\tAccess Token Removed Successfully!!!!!!!!");
}}
`
Upvotes: 0
Views: 2019
Answers (1)
Reputation: 1117
I see that you are using Authorization header and I presume the token to be a JWT. There is no concept of removing or revoking a JWT. It has to expire by itself. There are people with views who would point that to be a disadvantage when the server cannot revoke a token and cannot be used for enterprise applications.
When the same token is being used by client in another API and server analyses the token, and if it is within expiry time and untampered it will be validated to TRUE.
However the situation would be different and answer would be irrelevant if you arent using JWT.
Upvotes: 1
Related Questions
- Spring security. How to log out user (revoke oauth2 token)
- How to logout oauth2 client in Spring?
- Spring security OAuth2 - invalidate session after authentication
- How to revoke auth token in spring security?
- Why spring security logout does not work?
- Log Out does not work correctly in Spring Security OAuth2
- Spring Security Oauth2 logout using @FrameworkEndpoint
- Remove JWT on logout in Spring Application
- Delete access_token after logout
- how to delete refreshtoken and access token when user logout oauth 2.0?