Revoke JWT Oauth2 Refresh Token

后端未结

关注

 1  888

萌比男神i 2021-02-04 07:21

I am trying to find a way to revoke Oauth2 JWT Refresh Token with vanilla Spring implementation and JwtTokenStore.

First: can somebody confirm that there is no API simil

1条回答

囚心锁ツ (楼主)

2021-02-04 08:12

First: can somebody confirm that there is no API similar to /oauth/token that allows me to revoke a refresh token?

Confirmed.

You don't need to define JwtTokenStore bean, spring will create it for you using AuthorizationServerEndpointsConfigurer

private TokenStore tokenStore() {
    if (tokenStore == null) {
        if (accessTokenConverter() instanceof JwtAccessTokenConverter) {
            this.tokenStore = new JwtTokenStore((JwtAccessTokenConverter) accessTokenConverter());
        }
        else {
            this.tokenStore = new InMemoryTokenStore();
        }
    }
    return this.tokenStore;
}

private ApprovalStore approvalStore() {
    if (approvalStore == null && tokenStore() != null && !isApprovalStoreDisabled()) {
        TokenApprovalStore tokenApprovalStore = new TokenApprovalStore();
        tokenApprovalStore.setTokenStore(tokenStore());
        this.approvalStore = tokenApprovalStore;
    }
    return this.approvalStore;
}

My second question is thus what is the proper way to revoke a refresh token?

revoke the approval for the token, this was used by JwtTokenStore

private void remove(String token) {
    if (approvalStore != null) {
        OAuth2Authentication auth = readAuthentication(token);
        String clientId = auth.getOAuth2Request().getClientId();
        Authentication user = auth.getUserAuthentication();
        if (user != null) {
            Collection approvals = new ArrayList();
            for (String scope : auth.getOAuth2Request().getScope()) {
                approvals.add(new Approval(user.getName(), clientId, scope, new Date(), ApprovalStatus.APPROVED));
            }
            approvalStore.revokeApprovals(approvals);
        }
    }
}

0 讨论(0)