Reputation: 106
Define multiple TokenStore(s) in Spring secuirty OAUTH
I have a Spring Security AuthorizationServerConfigurerAdapter configuration which is supporting password and refresh_token grant types.
clients
.inMemory()
.authorizedGrantTypes("password", "refresh_token")
...;
The TokenStore i am using is JwtTokenStore, thus the refresh_token and access_token are generated as JWT as i am using the DefaultTokenServices
The question is how can i have the refresh_token generated and managed by JdbcTokenStore while the access_token still get generated and managed by JwtTokenStore?
I have thought about extending DefaultTokenServices or implementing AuthorizationServerTokenServices but i'm not sure if there is not any other way offered by the default spring-secuirty config.
Thanks!
Upvotes: 3
Views: 2155
Answers (1)
Reputation: 273
One way, to achieve stored tokens (both access token and refresh token) and have JWT encoded tokens at the same time, is provide token store with tokenEnhancer of type JwtAccessTokenConverter.
@Bean
protected TokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(privateKey);
converter.setVerifierKey(publicKey);
return converter;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory().withClient("client_trusted")//...
;
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore())
.tokenEnhancer(jwtTokenEnhancer()) // <- tokens are encoded in JWT
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
With this approach you can easily revoke (or remove) refresh_token. So authorization server will not provide new access token in next refreshing token request. And information in JWT stays self contained and resource server can work without interaction with authorization server.
@Autowired
protected TokenStore tokenStore;
@RequestMapping(method = RequestMethod.POST, value = "/revoke")
public void revokeToken(@RequestParam String token) {
((InMemoryTokenStore)tokenStore).removeRefreshToken(token);
}
Here is complete example of authorization and resource server with js client: https://github.com/pufface/spring-oauth-jwt-demo
Upvotes: 3
Related Questions
- Generate JWT custom token
- Spring Security multiple calls to different OAuth servers requiring multiple tokens in SecurityContext
- Implement TokenEnhancer for OAuth2 + JWT
- Spring OAuth2 - Manually creating an access token in the token store
- Spring Boot OAuth - Multiple Access Tokens for same user
- Spring Oauth2 - multiple tokens per client id
- How do you create JDBC TokenStore in Spring Boot?
- Spring Secuirty Oauth 2 - multiple user authentication services
- Spring OAuth + JWT -- /oauth/token
- Setting a custom AuthenticationDetailsSource on the Spring Oauth2 Token Endpoint