Spring security JWT refresh token not expiring

i am new to spring and i'm working on spring boot REST with spring security and currently I implemented JWT token. I have some questions but can't seem to find an answer to them. I tried adding a refresh token.
At first i thought i will store it in database with user, but spring security does everything automatically and i can't seem to find how to store it at a given field of table user.
So, moving on i decided i will try sticking with spring security automation and I set refresh token expiration time to 10 seconds to test if it expires, but sadly it does not work as intended - I can use refresh token for as long as I want and generate new tokens with it.
So here I have a couple of questions:
1. How do i make refresh token expire after given time? Here's my security config

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private String signingKey;

private Integer encodingStrength;

private String securityRealm;

private UserDetailsService userDetailsService;

protected AuthenticationManager authenticationManager() throws Exception {
    return super.authenticationManager();

protected void configure(AuthenticationManagerBuilder auth) throws Exception {

public PasswordEncoder passwordEncoder() {
    PasswordEncoder encoder = new BCryptPasswordEncoder();
    return encoder;

protected void configure(HttpSecurity http) throws Exception {


public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
    return converter;

public TokenStore tokenStore() {
    return new JwtTokenStore(accessTokenConverter());

public DefaultTokenServices tokenServices() {
    DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
    return defaultTokenServices;


  1. Is it possible to pass refresh token to database and manually check if token is valid, because that was my first idea.

I did find an answer, just forgot to update my ticket. So here it goes, by default JwtTokenStore does not support refresh tokens. Here's JwtTokenStore source code. So what this means, is that enabling token in settings, won't actually make it work. What i did, was create my own JWT token store that extends JwtTokenStore and write my own refresh token logic.

public class MyJwtTokenStore extends JwtTokenStore {

UserRepository userRepository;

public MyJwtTokenStore(JwtAccessTokenConverter jwtTokenEnhancer) {

public void storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication) {
    String username = authentication.getUserAuthentication().getName();
    User user = userRepository.findByEmail(username);

public OAuth2RefreshToken readRefreshToken(String token) {
    OAuth2Authentication authentication = super.readAuthentication(token);
    String username = authentication.getUserAuthentication().getName();
    User user = userRepository.findByEmail(username);
    if (!token.equals(user.getToken())) {
        return null;
    OAuth2RefreshToken refreshToken = new DefaultOAuth2RefreshToken(token);
    return refreshToken;

public void removeRefreshToken(OAuth2RefreshToken token) {
    OAuth2Authentication authentication = super.readAuthentication(token.getValue());
    String username = authentication.getUserAuthentication().getName();
    User user = userRepository.findByEmail(username);


After this, i just updated my TokenStore Bean

public TokenStore tokenStore() {
    MyJwtTokenStore jwtTokenStore = new MyJwtTokenStore(accessTokenConverter());
    return jwtTokenStore;
    // return new JwtTokenStore(accessTokenConverter());

And at the end I added remaining settings to my AuthorizationServerConfigurerAdapter class to support refresh token and give it time of validity.

public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private String clientId;

private String clientSecret;

private String grantType;

private String grantTypeRefresh;

private String scopeRead;

private String scopeWrite = "write";

private String resourceIds;

private TokenStore tokenStore;

private JwtAccessTokenConverter accessTokenConverter;

private AuthenticationManager authenticationManager;

private AppUserDetailsService userDetailsService;

private PasswordEncoder passwordEncoder;

public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
            .authorizedGrantTypes(grantType, grantTypeRefresh).scopes(scopeRead, scopeWrite)
            .resourceIds(resourceIds).autoApprove(false).accessTokenValiditySeconds(1800) // 30min
            .refreshTokenValiditySeconds(86400); //24 hours

public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    TokenEnhancerChain enhancerChain = new TokenEnhancerChain();

public FilterRegistrationBean corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.addAllowedOrigin("*"); // http://localhost:4200
    source.registerCorsConfiguration("/**", config);
    FilterRegistrationBean bean = new FilterRegistrationBean(new CorsFilter(source));
    return bean;


