How to revoke auth token in spring security?

Question

In logout controller I tryed to write a lot of combination of code. Now I have this:

final Authentication auth = SecurityContextHolder.getContext().getAuthentication();

if (auth != null) {
    new SecurityContextLogoutHandler().logout(request, response, auth);
}

SecurityContextHolder.getContext().setAuthentication(null);
auth.setAuthenticated(false);

But after provided code execution token still valid.

What do I wrong? How to revoke token eventually?

score 9 · Accepted Answer · edited Apr 03 '17 at 08:40

9

The class you're looking for is DefaultServices, method revokeToken(String tokenValue).

Here an exemple of a controller that revokes token, and here the oauth2 configuration with the DefaultServices bean.

edited Apr 03 '17 at 08:40

Andrew Tobilko

48,120
14
91
142

answered May 14 '14 at 22:45

raonirenosto

1,507
5
19
30

4

@raonirenosto, I've run into problems with autowiring a class with Spring been proxy using your example. I had to change DefaultTokenServices to ConsumerTokenServices (which is an interface) for it to work. But thanks for suggesting using DefaultTokenServices.revokeToken(). – vutbao Jul 09 '15 at 12:03
Since I last saw, Spring Oauth has changed many classes. I guess the framework is more stable now than the time I wrote this example. – raonirenosto Jul 09 '15 at 13:20
10

Both links do not exist anymore :( – Ondřej Stašek Oct 01 '19 at 07:57

score 9 · Answer 2 · answered Mar 21 '17 at 17:00

9

If you need to revoke a token for another user than the current one (E.g. an admin wants to disable a user account), you can use this:

Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByClientIdAndUserName(
                                                           "my_oauth_client_id", 
                                                           user.getUsername());
for (OAuth2AccessToken token : tokens) {
  consumerTokenServices.revokeToken(token.getValue());
}

With tokenStore being an org.springframework.security.oauth2.provider.token.TokenStore and consumerTokenServices being a org.springframework.security.oauth2.provider.token.ConsumerTokenServices

answered Mar 21 '17 at 17:00

Wim Deblauwe

25,113
20
133
211

when doing this its showing "Cannot make a static reference to the non-static method revokeToken(String) from the type ConsumerTokenServices". – Mohammedshafeek C S Mar 11 '18 at 10:15
Mohammed Shafeek, you must be calling the method revokeToken using the classname instead of using the name of the object instantiated from the class ConsumerTokenServices – Abu Sulaiman May 09 '18 at 19:37

score 0 · Answer 3 · answered Jan 13 '18 at 12:46

the thread is a bit old but for JWTToken users this is not working as the tokens are not stored. So another option is to use a filter. 1 create a method for admin to lock/unlock a user on your database. 2 use a filter and if the method needs authentication check if the user is active or not

exemple :

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if(authentication != null
            &&  authentication.getName() != null
            && !authentication.getName().equalsIgnoreCase("anonymousUser")) {
        UserModel user = userService.getUser(authentication.getName());
        if(user != null && !user.isActivated())
            throw new SecurityException("SECURITY_USER_DISABLED");
    }
    chain.doFilter(request, response);
}

On client side just intercept this error and disconnect user hope this helps someone.

score 0 · Answer 4 · edited Sep 01 '19 at 11:35

Simple example of token revocation for current authorized user using DefaultTokenServices:

Need Bean for Default token store

@Bean 
public DefaultTokenServices tokenServices() {
     DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
     defaultTokenServices.setTokenStore(tokenStore());
     defaultTokenServices.setSupportRefreshToken(true);
     return defaultTokenServices;
}

Then you can write your own controller

@RestController
@RequestMapping("/user")
public class UserApi {

@Autowired
private DefaultTokenServices tokenServices;

@Autowired
private TokenStore tokenStore;

@DeleteMapping("/logout")
@ResponseStatus(HttpStatus.NO_CONTENT)
public void revokeToken() {
    final OAuth2Authentication auth = (OAuth2Authentication) SecurityContextHolder
            .getContext().getAuthentication();
    final String token = tokenStore.getAccessToken(auth).getValue();
    tokenServices.revokeToken(token);
}
}

Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.oauth2.provider.token.TokenStore' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {} — Ondřej Stašek, Oct 01 '19 at 08:37

score -2 · Answer 5 · edited Nov 24 '16 at 13:36

-2

Autowire the DefaultTokenServices then use this code:

String authHeader = request.getHeader("Authorization");
String tokenValue = authHeader.replace("bearer", "").trim();
tokenService.revokeToken(tokenValue);
tokenService.setAccessTokenValiditySeconds(1);
tokenService.setRefreshTokenValiditySeconds(1);

Just try the code to revoke the access token.

edited Nov 24 '16 at 13:36

Jiri Tousek

12,211
5
29
43

answered Nov 24 '16 at 12:13

Suresh.U

1

1

Someone should kindly explain why this answer was downvoted. Why is this not advisable? – Olantobi Sep 21 '17 at 16:45
4

@Olantobi Because changing the token validity time this way changes the token validity for the whole application, not just one token. – Mikk Dec 27 '17 at 17:26

How to revoke auth token in spring security?

5 Answers5

Linked